From ba98ad04f280f27006ffb2353dc429d136e5fb7b Mon Sep 17 00:00:00 2001 From: Merikei <73759842+Merikei@users.noreply.github.com> Date: Sat, 1 Nov 2025 02:04:54 +0000 Subject: [PATCH 01/54] xlights: add .desktop file & icon --- pkgs/by-name/xl/xlights/package.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/by-name/xl/xlights/package.nix b/pkgs/by-name/xl/xlights/package.nix index 98d31d1a47c1..8f8787242ba0 100644 --- a/pkgs/by-name/xl/xlights/package.nix +++ b/pkgs/by-name/xl/xlights/package.nix @@ -13,6 +13,16 @@ appimageTools.wrapType2 rec { hash = "sha256-k5HGk5t/ujPuOU/GlxhA+yKKXy0lq8YkxcQkTUVBYXM="; }; + appimageContents = appimageTools.extract { inherit pname version src; }; + + extraInstallCommands = '' + install -m 444 -D ${appimageContents}/xlights.desktop $out/share/applications/xlights.desktop + install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/256x256/apps/xlights.png \ + $out/share/icons/hicolor/256x256/apps/xlights.png + substituteInPlace $out/share/applications/xlights.desktop \ + --replace-fail 'Exec=xLights' 'Exec=xlights' + ''; + meta = { description = "Sequencer for lights with USB and E1.31 drivers"; homepage = "https://xlights.org"; From 9e5226c5a4626080227305b3f0a9e56948730746 Mon Sep 17 00:00:00 2001 From: hungriest-ghost Date: Mon, 25 May 2026 12:56:10 +0100 Subject: [PATCH 02/54] intiface-central: fix hang on splash screen add env var wrapper for flutter rust bridge to find the rust generated .so files --- pkgs/by-name/in/intiface-central/package.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/in/intiface-central/package.nix b/pkgs/by-name/in/intiface-central/package.nix index 34b2c6e0a62d..7a4fd3bc653e 100644 --- a/pkgs/by-name/in/intiface-central/package.nix +++ b/pkgs/by-name/in/intiface-central/package.nix @@ -146,9 +146,8 @@ flutter338.buildFlutterApplication { ln -s ${buttplug} ../buttplug ''; - # without this, only the splash screen will be shown and the logs will contain the - # line `Failed to load dynamic library 'lib/libintiface_engine_flutter_bridge.so'` - extraWrapProgramArgs = "--chdir $out/app/intiface-central"; + # without this, only the splash screen will be shown + extraWrapProgramArgs = "--set FRB_DART_LOAD_EXTERNAL_LIBRARY_NATIVE_LIB_DIR $out/app/intiface-central/lib"; postInstall = '' install -Dm644 $out/app/intiface-central/data/flutter_assets/assets/icons/intiface_central_icon.png $out/share/icons/hicolor/512x512/apps/intiface-central.png From 30ac03c4b20278f6b2d2d2b6ee4b1323baa3acd6 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 14 Jun 2026 21:20:13 +0100 Subject: [PATCH 03/54] scid: fix the build after `enable stubs by default` change Without the change the build fails on `master` as https://hydra.nixos.org/build/329484354: ``` Invalid argument: --enable-stubs ``` --- pkgs/by-name/sc/scid/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/sc/scid/package.nix b/pkgs/by-name/sc/scid/package.nix index c093366bf294..2b7a4a21c8f1 100644 --- a/pkgs/by-name/sc/scid/package.nix +++ b/pkgs/by-name/sc/scid/package.nix @@ -35,6 +35,8 @@ tcl.mkTclDerivation rec { zlib ]; + addTclConfigureFlags = false; + configureFlags = [ "BINDIR=$(out)/bin" "SHAREDIR=$(out)/share" From 658f16c12667eaf0ff165b1f203a876005340765 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 16 Jun 2026 15:33:00 +0000 Subject: [PATCH 04/54] handheld-daemon: 4.1.9 -> 4.1.10 --- pkgs/by-name/ha/handheld-daemon/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ha/handheld-daemon/package.nix b/pkgs/by-name/ha/handheld-daemon/package.nix index b9f075e7a415..bfcc3a97de35 100644 --- a/pkgs/by-name/ha/handheld-daemon/package.nix +++ b/pkgs/by-name/ha/handheld-daemon/package.nix @@ -16,14 +16,14 @@ }: python3Packages.buildPythonApplication (finalAttrs: { pname = "handheld-daemon"; - version = "4.1.9"; + version = "4.1.10"; pyproject = true; src = fetchFromGitHub { owner = "hhd-dev"; repo = "hhd"; tag = "v${finalAttrs.version}"; - hash = "sha256-pzcMIXLZUkSqJuZTujAoKjfPuZgtit4u08wHZPPz8Ss="; + hash = "sha256-+POL5d9kn5oCGeu79gWxK0b0UHn//j/QjHq9wLZw6h8="; }; # Handheld-daemon runs some selinux-related utils which are not in nixpkgs. From fa37940bfe22a20ca1c8733858086ac98101a6b7 Mon Sep 17 00:00:00 2001 From: Shawn8901 Date: Thu, 18 Jun 2026 23:12:38 +0200 Subject: [PATCH 05/54] nixos/tests/victoriametrics: migrate to container tests --- .../external-promscrape-config.nix | 12 +++---- nixos/tests/victoriametrics/remote-write.nix | 12 +++---- nixos/tests/victoriametrics/vmalert.nix | 32 +++++++++---------- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/nixos/tests/victoriametrics/external-promscrape-config.nix b/nixos/tests/victoriametrics/external-promscrape-config.nix index f645b8c839b9..15b8c9bde157 100644 --- a/nixos/tests/victoriametrics/external-promscrape-config.nix +++ b/nixos/tests/victoriametrics/external-promscrape-config.nix @@ -29,8 +29,8 @@ in ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -55,14 +55,14 @@ in node.wait_for_unit("prometheus-node-exporter") node.wait_for_open_port(${toString nodeExporterPort}) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_open_port(8428) - promscrape_config = victoriametrics.succeed("journalctl -u victoriametrics -o cat | grep 'promscrape.config'") + promscrape_config = vmserver.succeed("journalctl -u victoriametrics -o cat | grep 'promscrape.config'") assert '${toString promscrapeConfigYaml}' in promscrape_config - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://localhost:8428/api/v1/query?query=node_exporter_build_info\{instance=\"node:9100\"\}' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) diff --git a/nixos/tests/victoriametrics/remote-write.nix b/nixos/tests/victoriametrics/remote-write.nix index 1788c9d8747c..721c4822c1d0 100644 --- a/nixos/tests/victoriametrics/remote-write.nix +++ b/nixos/tests/victoriametrics/remote-write.nix @@ -14,8 +14,8 @@ in ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -34,7 +34,7 @@ in services.vmagent = { enable = true; remoteWrite = { - url = "http://victoriametrics:8428/api/v1/write"; + url = "http://vmserver:8428/api/v1/write"; basicAuthUsername = username; basicAuthPasswordFile = toString passwordFile; }; @@ -71,13 +71,13 @@ in node.wait_for_unit("prometheus-node-exporter") node.wait_for_open_port(9100) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_open_port(8428) vmagent.wait_for_unit("vmagent") # check remote write - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl --user '${username}:${password}' -sf 'http://localhost:8428/api/v1/query?query=node_exporter_build_info\{instance=\"node:9100\"\}' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) diff --git a/nixos/tests/victoriametrics/vmalert.nix b/nixos/tests/victoriametrics/vmalert.nix index e6a0ab5d4e52..684b60d0a605 100644 --- a/nixos/tests/victoriametrics/vmalert.nix +++ b/nixos/tests/victoriametrics/vmalert.nix @@ -9,8 +9,8 @@ ]; }; - nodes = { - victoriametrics = + containers = { + vmserver = { config, pkgs, ... }: { environment.systemPackages = [ pkgs.jq ]; @@ -27,7 +27,7 @@ static_configs = [ { targets = [ - "alertmanager:${toString config.services.prometheus.alertmanager.port}" + "alert:${toString config.services.prometheus.alertmanager.port}" ]; } ]; @@ -51,7 +51,7 @@ settings = { "datasource.url" = "http://localhost:8428"; # victoriametrics' api "notifier.url" = [ - "http://alertmanager:${toString config.services.prometheus.alertmanager.port}" + "http://alert:${toString config.services.prometheus.alertmanager.port}" ]; # alertmanager's api rule = [ (pkgs.writeText "instance-down.yml" '' @@ -71,7 +71,7 @@ }; }; - alertmanager = { + alert = { services.prometheus.alertmanager = { enable = true; openFirewall = true; @@ -115,33 +115,33 @@ }; testScript = '' - alertmanager.wait_for_unit("alertmanager") - alertmanager.wait_for_open_port(9093) - alertmanager.wait_until_succeeds("curl -s http://127.0.0.1:9093/-/ready") + alert.wait_for_unit("alertmanager") + alert.wait_for_open_port(9093) + alert.wait_until_succeeds("curl -s http://127.0.0.1:9093/-/ready") logger.wait_for_unit("alertmanager-webhook-logger") logger.wait_for_open_port(6725) - victoriametrics.wait_for_unit("victoriametrics") - victoriametrics.wait_for_unit("vmalert") - victoriametrics.wait_for_open_port(8428) + vmserver.wait_for_unit("victoriametrics") + vmserver.wait_for_unit("vmalert") + vmserver.wait_for_open_port(8428) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=count(up\{job=\"alertmanager\"\}==1)' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=sum(alertmanager_build_info)%20by%20(version)' | " + "jq '.data.result[0].metric.version' | grep '\"${pkgs.prometheus-alertmanager.version}\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=count(up\{job=\"node\"\}!=1)' | " + "jq '.data.result[0].value[1]' | grep '\"1\"'" ) - victoriametrics.wait_until_succeeds( + vmserver.wait_until_succeeds( "curl -sf 'http://127.0.0.1:8428/api/v1/query?query=alertmanager_notifications_total\{integration=\"webhook\"\}' | " + "jq '.data.result[0].value[1]' | grep -v '\"0\"'" ) @@ -152,6 +152,6 @@ logger.log(logger.succeed("systemd-analyze security alertmanager-webhook-logger.service | grep -v '✓'")) - alertmanager.log(alertmanager.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) + alert.log(alert.succeed("systemd-analyze security alertmanager.service | grep -v '✓'")) ''; } From cea5e9102b73b5205efd3e8c09c6710188270728 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 27 Jun 2026 21:37:00 +0000 Subject: [PATCH 06/54] adscan: 9.1.1 -> 9.2.0 --- pkgs/by-name/ad/adscan/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ad/adscan/package.nix b/pkgs/by-name/ad/adscan/package.nix index 80646c0ab464..03e840cd3223 100644 --- a/pkgs/by-name/ad/adscan/package.nix +++ b/pkgs/by-name/ad/adscan/package.nix @@ -7,7 +7,7 @@ python3Packages.buildPythonApplication (finalAttrs: { pname = "adscan"; - version = "9.1.1"; + version = "9.2.0"; pyproject = true; __structuredAttrs = true; @@ -16,7 +16,7 @@ python3Packages.buildPythonApplication (finalAttrs: { owner = "ADScanPro"; repo = "adscan"; tag = "v${finalAttrs.version}"; - hash = "sha256-lVoDPRw2NQBQJo37uKT807HXN28cDFxiWwedTiYhojc="; + hash = "sha256-28v36+sbgt/xaE8N7w4o0WTMYd95QsW190VPhOgL3+8="; }; pythonRelaxDeps = [ "credsweeper" ]; From c6fb06d051c66275e8f0f7369c86e53fbc209755 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 27 Jun 2026 23:24:34 +0100 Subject: [PATCH 07/54] binutilsDualAs: drop --- pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 5 ----- pkgs/top-level/darwin-aliases.nix | 2 ++ pkgs/top-level/darwin-packages.nix | 26 -------------------------- 4 files changed, 3 insertions(+), 31 deletions(-) diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 171fbaccca1c..f7155afa6133 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -388,6 +388,7 @@ mapAliases { biff = throw "biff has been renamed to/replaced by 'bttf'"; # Added 2026-06-04 bindle = throw "bindle has been removed since it is vulnerable to CVE-2025-62518 and upstream has been archived"; # Added 2025-10-24 binserve = throw "'binserve' has been removed because it is unmaintained upstream."; # Added 2025-11-29 + binutilsDualAs = throw "binutilsDualAs has been removed because it was only useful on `x86_64-darwin` and also only useful for the GNAT bootstrap and also not even used for that any more and actually what on earth were you using this thing for anyway?"; # Added 2026-06-27 bitbucket-server-cli = throw "bitbucket-server-cli has been removed due to lack of maintenance upstream."; # Added 2025-05-27 bitcoin-abc = throw "bitcoin-abc has been removed due to a lack of maintanance"; # Added 2025-06-17 bitcoind-abc = throw "bitcoind-abc has been removed due to a lack of maintanance"; # Added 2025-06-17 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2de278fceb56..c8f0c8aa7bb4 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5006,11 +5006,6 @@ with pkgs; bintools = bintools-unwrapped; }; - bintoolsDualAs = wrapBintoolsWith { - bintools = darwin.binutilsDualAs-unwrapped; - wrapGas = true; - }; - black = with python3Packages; toPythonApplication black; black-macchiato = with python3Packages; toPythonApplication black-macchiato; diff --git a/pkgs/top-level/darwin-aliases.nix b/pkgs/top-level/darwin-aliases.nix index 96aab9d0af29..72a7dbc9434a 100644 --- a/pkgs/top-level/darwin-aliases.nix +++ b/pkgs/top-level/darwin-aliases.nix @@ -103,6 +103,8 @@ stubs ### B ### + binutilsDualAs = throw "binutilsDualAs has been removed because it was only useful on `x86_64-darwin` and also only useful for the GNAT bootstrap and also not even used for that any more and actually what on earth were you using this thing for anyway?"; # Added 2026-06-27 + binutilsDualAs-unwrapped = throw "binutilsDualAs has been removed because it was only useful on `x86_64-darwin` and also only useful for the GNAT bootstrap and also not even used for that any more and actually what on earth were you using this thing for anyway?"; # Added 2026-06-27 builder = throw "'darwin.builder' has been changed and renamed to 'darwin.linux-builder'. The default ssh port is now 31022. Please update your configuration or override the port back to 22. See https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder"; # added 2023-07-06 bsdmake = pkgs.bmake; # added 2024-10-03 diff --git a/pkgs/top-level/darwin-packages.nix b/pkgs/top-level/darwin-packages.nix index 5010f2658c7e..33e09e254c43 100644 --- a/pkgs/top-level/darwin-packages.nix +++ b/pkgs/top-level/darwin-packages.nix @@ -69,32 +69,6 @@ makeScopeWithSplicing' { bintools = self.binutils-unwrapped; }; - # x86-64 Darwin gnat-bootstrap emits assembly - # with MOVQ as the mnemonic for quadword interunit moves - # such as `movq %rbp, %xmm0`. - # The clang integrated assembler recognises this as valid, - # but unfortunately the cctools.gas GNU assembler does not; - # it instead uses MOVD as the mnemonic. - # The assembly that a GCC build emits is determined at build time - # and cannot be changed afterwards. - # - # To build GNAT on x86-64 Darwin, therefore, - # we need both the clang _and_ the cctools.gas assemblers to be available: - # the former to build at least the stage1 compiler, - # and the latter at least to be detectable - # as the target for the final compiler. - binutilsDualAs-unwrapped = buildEnv { - name = "${lib.getName self.binutils-unwrapped}-dualas-${lib.getVersion self.binutils-unwrapped}"; - paths = [ - self.binutils-unwrapped - (lib.getOutput "gas" cctools) - ]; - }; - - binutilsDualAs = self.binutils.override { - bintools = self.binutilsDualAs-unwrapped; - }; - sourceRelease = self.callPackage ../os-specific/darwin/sourceRelease { }; inherit (self.file_cmds) xattr; From 9a8a028e8c8fd81ae37965ad5ea47282ee951bc9 Mon Sep 17 00:00:00 2001 From: Yaroslav Bolyukin Date: Tue, 30 Jun 2026 03:57:28 +0200 Subject: [PATCH 08/54] python3Packages.google-cloud-datacatalog: 3.29.0 -> 3.31.0 --- .../python-modules/google-cloud-datacatalog/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/google-cloud-datacatalog/default.nix b/pkgs/development/python-modules/google-cloud-datacatalog/default.nix index f5b745956ce1..599dd3073cd2 100644 --- a/pkgs/development/python-modules/google-cloud-datacatalog/default.nix +++ b/pkgs/development/python-modules/google-cloud-datacatalog/default.nix @@ -16,14 +16,14 @@ buildPythonPackage (finalAttrs: { pname = "google-cloud-datacatalog"; - version = "3.29.0"; + version = "3.31.0"; pyproject = true; src = fetchFromGitHub { owner = "googleapis"; repo = "google-cloud-python"; tag = "google-cloud-datacatalog-v${finalAttrs.version}"; - hash = "sha256-dVgcnnInqjUjySL7wjxGzI33t1YZJ8e9mSsmjAJ+fBI="; + hash = "sha256-M/7uDWWz4YCfxa4gyM9BaAo10iyTMvtR2MhNpdFYnis="; }; sourceRoot = "${finalAttrs.src.name}/packages/google-cloud-datacatalog"; From 78b32cc02bffef813ba9d833fa80bc6f5bd6619e Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 02:40:56 +0000 Subject: [PATCH 09/54] embedxpl: 3.8.1 -> 3.8.8 --- pkgs/by-name/em/embedxpl/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/em/embedxpl/package.nix b/pkgs/by-name/em/embedxpl/package.nix index d0dc0c484c3e..71069e1fa840 100644 --- a/pkgs/by-name/em/embedxpl/package.nix +++ b/pkgs/by-name/em/embedxpl/package.nix @@ -6,14 +6,14 @@ python3.pkgs.buildPythonApplication (finalAttrs: { pname = "embedxpl"; - version = "3.8.1"; + version = "3.8.8"; pyproject = true; src = fetchFromGitHub { owner = "mrhenrike"; repo = "EmbedXPL-Forge"; tag = "v${finalAttrs.version}"; - hash = "sha256-y3Ftmqb5RnY1U2uqrq4Olyr0I0ZVJo/pgMY7RpbZqlU="; + hash = "sha256-L3gY2wna1V7nF/vGwr1hzq8WeQxTTsvgKMAatVUKZ9E="; }; __structuredAttrs = true; From 2483ee9ff5f8b312794579d03867c544e63fad81 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 05:02:39 +0000 Subject: [PATCH 10/54] python3Packages.simplisafe-python: 2024.01.0 -> 2026.06.0 --- pkgs/development/python-modules/simplisafe-python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/simplisafe-python/default.nix b/pkgs/development/python-modules/simplisafe-python/default.nix index 27b021ff8fb1..81ddef813dd0 100644 --- a/pkgs/development/python-modules/simplisafe-python/default.nix +++ b/pkgs/development/python-modules/simplisafe-python/default.nix @@ -20,14 +20,14 @@ buildPythonPackage rec { pname = "simplisafe-python"; - version = "2024.01.0"; + version = "2026.06.0"; pyproject = true; src = fetchFromGitHub { owner = "bachya"; repo = "simplisafe-python"; tag = version; - hash = "sha256-ewbR2FI0t2F8HF0ZL5omsclB9OPAjHygGLPtSkVlvgM="; + hash = "sha256-e59h4zX0AuzNlR1sovw4QJ6zXxksElY5emEM9eTfjwI="; }; nativeBuildInputs = [ poetry-core ]; From 33b5e7c400ee9ed77b4f3102be79ec82aee9bfb4 Mon Sep 17 00:00:00 2001 From: Daniel Schaefer Date: Tue, 30 Jun 2026 13:19:35 +0800 Subject: [PATCH 11/54] libfprint: Add patches to support more hardware libfprint does not release very often, so include some already merged patches to add support for new hardware until the next official release. Low risk, since it just adds new IDs. Signed-off-by: Daniel Schaefer --- pkgs/by-name/li/libfprint-tod/package.nix | 4 +++ pkgs/by-name/li/libfprint/package.nix | 30 +++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/pkgs/by-name/li/libfprint-tod/package.nix b/pkgs/by-name/li/libfprint-tod/package.nix index 9abebbb42b25..120082b2029e 100644 --- a/pkgs/by-name/li/libfprint-tod/package.nix +++ b/pkgs/by-name/li/libfprint-tod/package.nix @@ -27,6 +27,10 @@ libfprint.overrideAttrs ( hash = "sha256-xkywuFbt8EFJOlIsSN2hhZfMUhywdgJ/uT17uiO3YV4="; }; + # Different source than libfprint, so override any patches, because they + # would only apply to the original source tree + patches = [ ]; + mesonFlags = [ # Include virtual drivers for fprintd tests "-Ddrivers=all" diff --git a/pkgs/by-name/li/libfprint/package.nix b/pkgs/by-name/li/libfprint/package.nix index 160cec4aa0f9..edfc4aa8ea74 100644 --- a/pkgs/by-name/li/libfprint/package.nix +++ b/pkgs/by-name/li/libfprint/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitLab, + fetchpatch, pkg-config, meson, python3, @@ -35,6 +36,35 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-aNBUIKY3PP5A07UNg3N0qq+2cwb6Fk67oKQcXgr2G/4="; }; + patches = [ + # New hardware support since 1.94.10, just new USB Product IDs + (fetchpatch { + name = "realtek-3274-9003.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/a25f71cf97820c51edc4c32f84686fcdc608d9d1.patch"; + sha256 = "sha256-T9rvT53Ij+5gtiVOp+xfzQwiVkyF0m6lZAUCXWmaugg="; + }) + (fetchpatch { + name = "elan-0c58.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/4610f2285e6373c2fe4ead0dff4ebf8dabe4e532.patch"; + sha256 = "sha256-VR96V+7FvSa8sE6JpcCx/slZ0MaK9HLuNuAay2P9C6M="; + }) + (fetchpatch { + name = "elan-04F3-0C9C.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/2bdc2b7ca6d8bedc675054934fbc8f8b6a21deac.patch"; + sha256 = "sha256-LFMip9Mq55uDRgHkW+XeI+j0mILOb7DIHscHjyKe4yE="; + }) + (fetchpatch { + name = "focal-077a-079a.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/2c7842c905147a2d127c1b168b2e9d432b8c91a4.patch"; + sha256 = "sha256-PuISGITn0/6AWY0WVUfViZtdcQFh+0s+4OLIszqdLUs="; + }) + (fetchpatch { + name = "focal-a97a.patch"; + url = "https://gitlab.freedesktop.org/libfprint/libfprint/-/commit/0dc384b90ed8cd78b3e8d7c0d30a953bd088b98c.patch"; + sha256 = "sha256-X/wl4MpxfQ7sLlFTkkiDQGyRFQ6lC9pdcy3XPrSeOZw="; + }) + ]; + postPatch = '' patchShebangs \ tests/test-runner.sh \ From 0198fc88ea4dd98d56fc0db23e15f9e3f37646e8 Mon Sep 17 00:00:00 2001 From: fsagbuya Date: Tue, 30 Jun 2026 16:10:17 +0800 Subject: [PATCH 12/54] nixos/tests/flarum: init --- nixos/tests/all-tests.nix | 1 + nixos/tests/flarum.nix | 52 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 nixos/tests/flarum.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1b57744633bd..a36c070c5726 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -622,6 +622,7 @@ in flannel = runTestOn [ "x86_64-linux" ] ./flannel.nix; flap-alerted = runTest ./flap-alerted.nix; flaresolverr = runTest ./flaresolverr.nix; + flarum = runTest ./flarum.nix; flood = runTest ./flood.nix; fluent-bit = runTest ./fluent-bit.nix; fluentd = runTest ./fluentd.nix; diff --git a/nixos/tests/flarum.nix b/nixos/tests/flarum.nix new file mode 100644 index 000000000000..17c7df02f44c --- /dev/null +++ b/nixos/tests/flarum.nix @@ -0,0 +1,52 @@ +{ lib, ... }: +{ + name = "flarum"; + + meta = { + maintainers = with lib.maintainers; [ + fsagbuya + jasonodoom + ]; + }; + + nodes.machine = + { ... }: + { + # Flarum installs and migrates the database on first boot and runs a + # MariaDB server alongside PHP-FPM and nginx, so give the VM some headroom. + virtualisation.memorySize = 2048; + + services.flarum = { + enable = true; + forumTitle = "NixOS Flarum Test Forum"; + domain = "localhost"; + baseUrl = "http://localhost"; + + # Run `flarum install` against the locally provisioned MariaDB. Safe here + # because the VM always starts from a fresh, empty database. + createDatabaseLocally = true; + + adminUser = "admin"; + adminEmail = "admin@example.com"; + # Flarum rejects admin passwords shorter than 8 characters. + initialAdminPassword = "flarum-admin-password"; + }; + }; + + testScript = '' + start_all() + + # PHP-FPM is ordered after the oneshot installer (Type=oneshot, no + # RemainAfterExit), so waiting on it implies the install/migrate finished. + machine.wait_for_unit("phpfpm-flarum.service") + machine.wait_for_unit("nginx.service") + machine.wait_for_open_port(80) + + # The forum front page is server-rendered and embeds the configured title. + machine.wait_until_succeeds("curl -sf http://localhost/ -o /dev/null") + machine.succeed("curl -sf http://localhost/ | grep -F 'NixOS Flarum Test Forum'") + + # The admin API endpoint should respond, confirming the app booted cleanly. + machine.succeed("curl -sf http://localhost/api -o /dev/null") + ''; +} From 91832859b41ba457d5e760f7289b01f7c9621a01 Mon Sep 17 00:00:00 2001 From: sempiternal-aurora <78790545+sempiternal-aurora@users.noreply.github.com> Date: Tue, 30 Jun 2026 18:10:28 +1000 Subject: [PATCH 13/54] python3Packages.roman: fix build with older setuptools_80 --- pkgs/development/python-modules/roman/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/roman/default.nix b/pkgs/development/python-modules/roman/default.nix index 754a889cc795..fbf8712820e5 100644 --- a/pkgs/development/python-modules/roman/default.nix +++ b/pkgs/development/python-modules/roman/default.nix @@ -2,7 +2,7 @@ lib, buildPythonPackage, fetchFromGitHub, - setuptools, + setuptools_80, pytestCheckHook, }: @@ -18,7 +18,7 @@ buildPythonPackage (finalAttrs: { hash = "sha256-ZtwHlS3V18EqDXJxTTwfUdtOvyQg9GbSArV7sOs1b38="; }; - build-system = [ setuptools ]; + build-system = [ setuptools_80 ]; pythonImportsCheck = [ "roman" ]; From 440f2226c78e78ad07eede75f050e98a6065f758 Mon Sep 17 00:00:00 2001 From: fsagbuya Date: Tue, 30 Jun 2026 16:18:30 +0800 Subject: [PATCH 14/54] flarum: add passthru test --- pkgs/by-name/fl/flarum/package.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/by-name/fl/flarum/package.nix b/pkgs/by-name/fl/flarum/package.nix index 227eb5b395fe..d79a26a5bb34 100644 --- a/pkgs/by-name/fl/flarum/package.nix +++ b/pkgs/by-name/fl/flarum/package.nix @@ -2,6 +2,7 @@ lib, php, fetchFromGitHub, + nixosTests, }: php.buildComposerProject2 (finalAttrs: { @@ -19,6 +20,8 @@ php.buildComposerProject2 (finalAttrs: { composerStrictValidation = false; vendorHash = "sha256-EHl+Mr6y5A51EpLPAWUGtiPkLOky6KvsSY4JWHeyO28="; + passthru.tests.module = nixosTests.flarum; + meta = { changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md"; description = "Delightfully simple discussion platform for your website"; From 04cbd125326bad5943f8fbb4ef8ae5cb0a1e8811 Mon Sep 17 00:00:00 2001 From: Ivan Mincik Date: Tue, 30 Jun 2026 13:31:41 +0200 Subject: [PATCH 15/54] netavark: revert 1.17.2 -> 2.0.0" netavark update must be done in sync with podman and buildah. From netavark 2.0.0 release notes: """ This is major release with breaking changes. It is required for podman 6.0 and buildah 1.44 and only supported to be used with them together. Packagers need to ensure they update the versions in sync. """ From podman 6.0.0 release notes: """ Due to breaking changes in this release, Podman v6.0.0 must be used with Buildah v1.44.0, Skopeo v1.23, Netavark and Aardvark v2.0.0, and configuration files from the container-libs repository's common/v0.68.0 release. """ --- pkgs/by-name/ne/netavark/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ne/netavark/package.nix b/pkgs/by-name/ne/netavark/package.nix index 21ab26755886..cdccae339838 100644 --- a/pkgs/by-name/ne/netavark/package.nix +++ b/pkgs/by-name/ne/netavark/package.nix @@ -11,16 +11,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "netavark"; - version = "2.0.0"; + version = "1.17.2"; src = fetchFromGitHub { owner = "containers"; repo = "netavark"; rev = "v${finalAttrs.version}"; - hash = "sha256-hMtYAG1OnnK1xECp8yiGEtgrWWnVfywLokOw6fzKEjw="; + hash = "sha256-FdJNcHYK6Jc1dNqcUr5Ne8dv1dzlHRhcjoldiihrov8="; }; - cargoHash = "sha256-oVIOS0bzvT6FW43TJ/p0PZO/cjskzljhyxqeM0aSCCo="; + cargoHash = "sha256-wp/1lWc3OfNQt74m8DtpuFO/Mf07+M7numq2FMEkeGo="; nativeBuildInputs = [ installShellFiles From 0220d8af58153f4c8a8782b7d6f5b65bc67f6982 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 13:12:02 +0000 Subject: [PATCH 16/54] icestudio: 0.12-unstable-2026-05-28 -> 0.12-unstable-2026-06-29 --- pkgs/by-name/ic/icestudio/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ic/icestudio/package.nix b/pkgs/by-name/ic/icestudio/package.nix index 025a837aaffc..9e7995642d03 100644 --- a/pkgs/by-name/ic/icestudio/package.nix +++ b/pkgs/by-name/ic/icestudio/package.nix @@ -13,13 +13,13 @@ let # Use unstable because it has improvements for finding python - version = "0.12-unstable-2026-05-28"; + version = "0.12-unstable-2026-06-29"; src = fetchFromGitHub { owner = "FPGAwars"; repo = "icestudio"; - rev = "cfa40bd83ada8d7f3594c2cd60e39d2d63ff14d0"; - hash = "sha256-vp4cLDK2mfheLw+0ysNjKW5bbrm806Y6sHkSpEgWo4U="; + rev = "8607f7ef538c4b447362b2ab90aece2fbb7d1b75"; + hash = "sha256-8KYwlOKKmTQza71cVpssOGJJNwIUvMHMYcokhK/LhEo="; }; collection = fetchurl { From 38a040264ef1833811576b104485c42175b69dd3 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 14:21:42 +0000 Subject: [PATCH 17/54] acli: 1.3.20-stable -> 1.3.21-stable --- pkgs/by-name/ac/acli/sources.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkgs/by-name/ac/acli/sources.json b/pkgs/by-name/ac/acli/sources.json index ebc68bc98fb4..bd8c679ff957 100644 --- a/pkgs/by-name/ac/acli/sources.json +++ b/pkgs/by-name/ac/acli/sources.json @@ -1,21 +1,21 @@ { - "version": "1.3.20-stable", + "version": "1.3.21-stable", "sources": { "aarch64-darwin": { - "url": "https://acli.atlassian.com/darwin/1.3.20-stable/acli_1.3.20-stable_darwin_arm64.tar.gz", - "sha256": "5fca5f021b8202f77f60ecc0ded293fb4af67afdb462ed20dce990cfedc49517" + "url": "https://acli.atlassian.com/darwin/1.3.21-stable/acli_1.3.21-stable_darwin_arm64.tar.gz", + "sha256": "39687d1c18054736f7264d76d33ceb89e8ebf480fbbba9541d9fefdda94ded66" }, "aarch64-linux": { - "url": "https://acli.atlassian.com/linux/1.3.20-stable/acli_1.3.20-stable_linux_arm64.tar.gz", - "sha256": "2209f6ab1f7fb4c16247e30115d0ff7c1511161aeae4d166e0e79ec81125a4b1" + "url": "https://acli.atlassian.com/linux/1.3.21-stable/acli_1.3.21-stable_linux_arm64.tar.gz", + "sha256": "b6104cd1737613fe4b24c20619965bb59b7b9bc09e39fb95f41a671b2b320ab8" }, "x86_64-darwin": { - "url": "https://acli.atlassian.com/darwin/1.3.20-stable/acli_1.3.20-stable_darwin_amd64.tar.gz", - "sha256": "4b9c4faa0d635b6e9194b101d4826b26cd6a15c46313f6a5f9436e20e8a48b78" + "url": "https://acli.atlassian.com/darwin/1.3.21-stable/acli_1.3.21-stable_darwin_amd64.tar.gz", + "sha256": "75f08d45886f770117405bb5b053bfa4c8e98045afe3dfa965905fabd8825f5c" }, "x86_64-linux": { - "url": "https://acli.atlassian.com/linux/1.3.20-stable/acli_1.3.20-stable_linux_amd64.tar.gz", - "sha256": "4e0190233a58276001a3cdff23e4be5e30844f98c639c49cfdeb581b9eb147aa" + "url": "https://acli.atlassian.com/linux/1.3.21-stable/acli_1.3.21-stable_linux_amd64.tar.gz", + "sha256": "f158f6e8f6ae7e279d1ced8ce85a93647aa70c42c29f0d5ad303ebd3c727f956" } } } From d6b5e31e99d37a752addbda3da06f945660f9ece Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 30 Jun 2026 08:44:52 -0700 Subject: [PATCH 18/54] python3Packages.rich-rst: 2.0.1 -> 2.0.2 Diff: https://github.com/wasi-master/rich-rst/compare/v2.0.1...v2.0.2 Changelog: https://github.com/wasi-master/rich-rst/releases/tag/v2.0.2 --- pkgs/development/python-modules/rich-rst/default.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/pkgs/development/python-modules/rich-rst/default.nix b/pkgs/development/python-modules/rich-rst/default.nix index 457138c5e226..15750beec57c 100644 --- a/pkgs/development/python-modules/rich-rst/default.nix +++ b/pkgs/development/python-modules/rich-rst/default.nix @@ -1,33 +1,31 @@ { lib, buildPythonPackage, - docutils, fetchFromGitHub, + pygments, pytestCheckHook, rich, - setuptools-scm, setuptools, }: buildPythonPackage (finalAttrs: { pname = "rich-rst"; - version = "2.0.1"; + version = "2.0.2"; pyproject = true; src = fetchFromGitHub { owner = "wasi-master"; repo = "rich-rst"; tag = "v${finalAttrs.version}"; - hash = "sha256-7nniBu9UnXA0pogv0TDkANTeOcsVYbyDxEr6/r7MxcY="; + hash = "sha256-M4ngZNYPasEqqfRay8aGHDII+LkwLhBp5kF9ryJ5LwQ="; }; build-system = [ setuptools - setuptools-scm ]; dependencies = [ - docutils + pygments rich ]; From c78f5f413fd0f8e0a682b3a1e8a93966e0cfb26b Mon Sep 17 00:00:00 2001 From: Daniel Fullmer Date: Sun, 28 Jun 2026 16:11:31 -0700 Subject: [PATCH 19/54] onnxruntime: fix CUDAExecutionProvider loading error onnxruntime fails to load the CUDAExecutionProvider with an libonnxruntime_providers_cuda.so: undefined symbol: nvrtcGetProgramLogSize error. cudnn-frontend >=1.19.0 now includes symbols provided by nvrtc but does not ensure it is linked against it. Recent commits to onnxruntime add the CUDA::nvrtc link target to resolve the issue. This adds the same change here. --- pkgs/by-name/on/onnxruntime/nvrtc-link.patch | 26 ++++++++++++++++++++ pkgs/by-name/on/onnxruntime/package.nix | 6 +++++ 2 files changed, 32 insertions(+) create mode 100644 pkgs/by-name/on/onnxruntime/nvrtc-link.patch diff --git a/pkgs/by-name/on/onnxruntime/nvrtc-link.patch b/pkgs/by-name/on/onnxruntime/nvrtc-link.patch new file mode 100644 index 000000000000..8c83c364498a --- /dev/null +++ b/pkgs/by-name/on/onnxruntime/nvrtc-link.patch @@ -0,0 +1,26 @@ +diff --git a/cmake/onnxruntime_providers_cuda.cmake b/cmake/onnxruntime_providers_cuda.cmake +index 624057dd43..64de9a0860 100644 +--- a/cmake/onnxruntime_providers_cuda.cmake ++++ b/cmake/onnxruntime_providers_cuda.cmake +@@ -310,7 +310,7 @@ + message( WARNING "To compile with NHWC ops enabled please compile against cuDNN 9 or newer." ) + endif() + endif() +- target_link_libraries(${target} PRIVATE CUDA::cublasLt CUDA::cublas CUDNN::cudnn_all cudnn_frontend CUDA::curand CUDA::cufft CUDA::cudart ++ target_link_libraries(${target} PRIVATE CUDA::cublasLt CUDA::cublas CUDNN::cudnn_all cudnn_frontend CUDA::curand CUDA::cufft CUDA::cudart CUDA::nvrtc CUDA::cuda_driver + ${ABSEIL_LIBS} ${ONNXRUNTIME_PROVIDERS_SHARED} Boost::mp11 safeint_interface) + endif() + +diff --git a/cmake/onnxruntime_providers_cuda_plugin.cmake b/cmake/onnxruntime_providers_cuda_plugin.cmake +index e345c944dc..82742df359 100644 +--- a/cmake/onnxruntime_providers_cuda_plugin.cmake ++++ b/cmake/onnxruntime_providers_cuda_plugin.cmake +@@ -250,6 +250,8 @@ target_link_libraries(onnxruntime_providers_cuda_plugin PRIVATE + CUDA::cublas + CUDA::cublasLt + CUDA::cufft ++ CUDA::nvrtc ++ CUDA::cuda_driver + CUDNN::cudnn_all + cudnn_frontend + Boost::mp11 diff --git a/pkgs/by-name/on/onnxruntime/package.nix b/pkgs/by-name/on/onnxruntime/package.nix index 4253d258d8b2..7f8eb893fb6f 100644 --- a/pkgs/by-name/on/onnxruntime/package.nix +++ b/pkgs/by-name/on/onnxruntime/package.nix @@ -132,6 +132,12 @@ effectiveStdenv.mkDerivation (finalAttrs: { # https://github.com/microsoft/onnxruntime/issues/9155 # Patch adapted from https://gitlab.alpinelinux.org/alpine/aports/-/raw/462dfe0eb4b66948fe48de44545cc22bb64fdf9f/community/onnxruntime/0001-Remove-MATH_NO_EXCEPT-macro.patch ./remove-MATH_NO_EXCEPT-macro.patch + ] + # Include additional target_link_libraries needed for cudnn-frontend >= 2.19 + # See: https://github.com/microsoft/onnxruntime/pull/28849 + # These changes are included in 548ab6e and fc7a9f0 upstream + ++ lib.optionals cudaSupport [ + ./nvrtc-link.patch ]; postPatch = '' From f3d7d953c32c19300f1d384fd7defc1f358bba6c Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Tue, 30 Jun 2026 22:07:34 +0200 Subject: [PATCH 20/54] pythpn3Packages.simplisafe-python: modernize --- .../python-modules/simplisafe-python/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pkgs/development/python-modules/simplisafe-python/default.nix b/pkgs/development/python-modules/simplisafe-python/default.nix index 81ddef813dd0..03cf12a85c32 100644 --- a/pkgs/development/python-modules/simplisafe-python/default.nix +++ b/pkgs/development/python-modules/simplisafe-python/default.nix @@ -18,7 +18,7 @@ websockets, }: -buildPythonPackage rec { +buildPythonPackage (finalAttrs: { pname = "simplisafe-python"; version = "2026.06.0"; pyproject = true; @@ -26,13 +26,13 @@ buildPythonPackage rec { src = fetchFromGitHub { owner = "bachya"; repo = "simplisafe-python"; - tag = version; + tag = finalAttrs.version; hash = "sha256-e59h4zX0AuzNlR1sovw4QJ6zXxksElY5emEM9eTfjwI="; }; - nativeBuildInputs = [ poetry-core ]; + build-system = [ poetry-core ]; - propagatedBuildInputs = [ + dependencies = [ aiohttp backoff beautifulsoup4 @@ -69,10 +69,10 @@ buildPythonPackage rec { __darwinAllowLocalNetworking = true; meta = { - changelog = "https://github.com/bachya/simplisafe-python/releases/tag/${version}"; description = "Python library the SimpliSafe API"; homepage = "https://simplisafe-python.readthedocs.io/"; - license = with lib.licenses; [ mit ]; + changelog = "https://github.com/bachya/simplisafe-python/releases/tag/${finalAttrs.src.tag}"; + license = lib.licenses.mit; maintainers = with lib.maintainers; [ fab ]; }; -} +}) From eb9d0efb6ed3e67ff1fc8e8284fb8cbeb9e00aeb Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Wed, 1 Jul 2026 00:48:51 +0200 Subject: [PATCH 21/54] batman-adv: 2026.1 -> 2026.2 Changelog: https://www.open-mesh.org/news/128 --- pkgs/os-specific/linux/batman-adv/version.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/batman-adv/version.nix b/pkgs/os-specific/linux/batman-adv/version.nix index e12da2673ae4..8f05cf345198 100644 --- a/pkgs/os-specific/linux/batman-adv/version.nix +++ b/pkgs/os-specific/linux/batman-adv/version.nix @@ -1,14 +1,14 @@ { - version = "2026.1"; + version = "2026.2"; # To get these, run: # # ``` - # for tool in alfred batctl batman-adv; do nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2026.1/$tool-2026.1.tar.gz --type sha256 | xargs nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri; done + # for tool in alfred batctl batman-adv; do nix-prefetch-url https://downloads.open-mesh.org/batman/releases/batman-adv-2026.2/$tool-2026.2.tar.gz --type sha256 | xargs nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri; done # ``` sha256 = { - alfred = "sha256-Rd+8uKfLuq7j4SYHpGYB3YbOUiUHJTXptJ2kC78CtIk="; - batctl = "sha256-hEQWhsHUTtV6Vg8qC+n4brksMQ8iqqSgCTPrbIk2CHo="; - batman-adv = "sha256-ZIfdO0rQ+FUQ3tu6M1/nexuHfQ53OTxR3coHp0Ubj0U="; + alfred = "sha256-2ZV0i+X2KkIJFSXMwQLfWsZCGG6bkBRpipVaRGm2m5Y="; + batctl = "sha256-wdWAr7Bm0xZcI5tnQwuUxpkyYZwGqQsSlegoy1CBsSI="; + batman-adv = "sha256-Thf87SyAlF4iYJvodTRIFzP/G10XBQ3k5PMjwXFBgTU="; }; } From f874f44bd1f273eac349a66e74b6f8b96a29a295 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 23:13:38 +0000 Subject: [PATCH 22/54] python3Packages.free-proxy: 1.1.3 -> 1.2.1 --- pkgs/development/python-modules/free-proxy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/free-proxy/default.nix b/pkgs/development/python-modules/free-proxy/default.nix index c315076b09c5..349d006b710c 100644 --- a/pkgs/development/python-modules/free-proxy/default.nix +++ b/pkgs/development/python-modules/free-proxy/default.nix @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "free-proxy"; - version = "1.1.3"; + version = "1.2.1"; pyproject = true; src = fetchFromGitHub { owner = "jundymek"; repo = "free-proxy"; tag = "v${version}"; - hash = "sha256-8SxKGGifQTU0CUrtUQUtrmeq+Do4GIqNUWAdCt++eUA="; + hash = "sha256-Q8102tnssVnIYEP9fBOBFSSsZqTGGulalyAkvnlp3UY="; }; build-system = [ setuptools ]; From b2a8dd2e5543c2dab0a8f20742eb93ebf94a2759 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 30 Jun 2026 23:51:47 +0000 Subject: [PATCH 23/54] vivaldi: 8.0.4033.50 -> 8.0.4033.54 --- pkgs/by-name/vi/vivaldi/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/vi/vivaldi/package.nix b/pkgs/by-name/vi/vivaldi/package.nix index de2af51620bc..f1f08fc50e47 100644 --- a/pkgs/by-name/vi/vivaldi/package.nix +++ b/pkgs/by-name/vi/vivaldi/package.nix @@ -67,7 +67,7 @@ stdenv.mkDerivation rec { pname = "vivaldi"; - version = "8.0.4033.50"; + version = "8.0.4033.54"; suffix = { @@ -80,8 +80,8 @@ stdenv.mkDerivation rec { url = "https://downloads.vivaldi.com/stable/vivaldi-stable_${version}-1_${suffix}.deb"; hash = { - aarch64-linux = "sha256-5n5+DY03lRDKLWX/WPX17Wg7IeTl4MDKEWOZEYHaPDE="; - x86_64-linux = "sha256-IVytlw5NzxV1TwLHeX81AgWEHHVzksVC3a0S/WuWEaA="; + aarch64-linux = "sha256-i2FAMp3MFsnXTjQoF4Y/BuB6j+x3ugfsu0ePGI/h5Po="; + x86_64-linux = "sha256-a4ZLX/DpygZgPPjt4BQxTuRbFoPmNuRgdZFiI6UclQI="; } .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); }; From 998dc0f0648e42d4b96ba0d09f0e7a0d5f945054 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 00:00:14 +0000 Subject: [PATCH 24/54] musescore-evolution: 3.7.0-unstable-2026-06-10 -> 3.7.0-unstable-2026-06-30 --- pkgs/by-name/mu/musescore-evolution/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/mu/musescore-evolution/package.nix b/pkgs/by-name/mu/musescore-evolution/package.nix index 03f01633f930..a544f3ec94f1 100644 --- a/pkgs/by-name/mu/musescore-evolution/package.nix +++ b/pkgs/by-name/mu/musescore-evolution/package.nix @@ -28,13 +28,13 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; pname = "musescore-evolution"; - version = "3.7.0-unstable-2026-06-10"; + version = "3.7.0-unstable-2026-06-30"; src = fetchFromGitHub { owner = "Jojo-Schmitz"; repo = "MuseScore"; - rev = "ec719c0152fbb0fb57758a14a3754ad08d31dfc7"; - hash = "sha256-yXVKjaY/utXA3617ik4misxeOVFp+0oo0RSU3yPUA00="; + rev = "8b07f250f0a657582609a870f27ea4794ec81ff2"; + hash = "sha256-XclDbyopuP4+3tfgsCThxr7QYdKmoaBSfWd+3h8A+6w="; }; patches = [ From 298e2f0683df22018b31fe1312134c34313d896d Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 00:02:48 +0000 Subject: [PATCH 25/54] pana: 0.23.12 -> 0.23.13 --- pkgs/by-name/pa/pana/package.nix | 4 +- pkgs/by-name/pa/pana/pubspec.lock.json | 94 +++++++++++++------------- 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/pkgs/by-name/pa/pana/package.nix b/pkgs/by-name/pa/pana/package.nix index fb5d0c9a97ab..6881bae84334 100644 --- a/pkgs/by-name/pa/pana/package.nix +++ b/pkgs/by-name/pa/pana/package.nix @@ -9,13 +9,13 @@ }: buildDartApplication rec { pname = "pana"; - version = "0.23.12"; + version = "0.23.13"; src = fetchFromGitHub { owner = "dart-lang"; repo = "pana"; tag = version; - hash = "sha256-y72E2ojoAJF38QLb+5iKiAjF7c8AqglmY0qI53MohX4="; + hash = "sha256-LPTcmAb0eZKhxzz/LzV4GnHfw/RAKCItoC7Vn9vvOuw="; }; dartEntryPoints = { diff --git a/pkgs/by-name/pa/pana/pubspec.lock.json b/pkgs/by-name/pa/pana/pubspec.lock.json index 4e3c4076ee5e..2ca72fb00a18 100644 --- a/pkgs/by-name/pa/pana/pubspec.lock.json +++ b/pkgs/by-name/pa/pana/pubspec.lock.json @@ -4,21 +4,21 @@ "dependency": "transitive", "description": { "name": "_fe_analyzer_shared", - "sha256": "1dd467c7e56541bea70bbd35d537e3aa12dfba81f39e2a75bb6a61fc5595985b", + "sha256": "1b0e6a07425a3e460666e88bf1c949ccc7bb0116ad562ce94a1eca60fe820725", "url": "https://pub.dev" }, "source": "hosted", - "version": "97.0.0" + "version": "103.0.0" }, "analyzer": { "dependency": "direct main", "description": { "name": "analyzer", - "sha256": "041602214e3ec5a02ba85c08fe8e381aa25ac5367db17d03fbb6d22d851d4bba", + "sha256": "61c04d0c1bfed555c681ea079519933f071a5a026578ff73c4ff0df2d3462e5e", "url": "https://pub.dev" }, "source": "hosted", - "version": "11.0.0" + "version": "13.3.0" }, "args": { "dependency": "direct main", @@ -54,11 +54,11 @@ "dependency": "direct dev", "description": { "name": "build", - "sha256": "aadd943f4f8cc946882c954c187e6115a84c98c81ad1d9c6cbf0895a8c85da9c", + "sha256": "a156715e7cd728130c592f30552575908aae5b100005fbc1f0fb16b3c03a3d10", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.0.5" + "version": "4.0.6" }, "build_config": { "dependency": "direct dev", @@ -84,11 +84,11 @@ "dependency": "direct dev", "description": { "name": "build_runner", - "sha256": "521daf8d189deb79ba474e43a696b41c49fb3987818dbacf3308f1e03673a75e", + "sha256": "1523ce62448ebac2c15a8ba5fbad8acac169788658a7dd2a1c2d9c2a9318b9a6", "url": "https://pub.dev" }, "source": "hosted", - "version": "2.13.1" + "version": "2.15.0" }, "build_verify": { "dependency": "direct dev", @@ -124,11 +124,11 @@ "dependency": "transitive", "description": { "name": "built_value", - "sha256": "0730c18c770d05636a8f945c32a4d7d81cb6e0f0148c8db4ad12e7748f7e49af", + "sha256": "34e4067d30ce212937df995f03b69992eea683539ceeac7f679a1f1eba055b56", "url": "https://pub.dev" }, "source": "hosted", - "version": "8.12.5" + "version": "8.12.6" }, "checked_yaml": { "dependency": "transitive", @@ -154,21 +154,11 @@ "dependency": "direct main", "description": { "name": "cli_util", - "sha256": "ff6785f7e9e3c38ac98b2fb035701789de90154024a75b6cb926445e83197d1c", + "sha256": "5909d2c6b66817222779e1eedc19e0e28b76d1df7bd9856a4792ccb9881df358", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.4.2" - }, - "code_builder": { - "dependency": "transitive", - "description": { - "name": "code_builder", - "sha256": "6a6cab2ba4680d6423f34a9b972a4c9a94ebe1b62ecec4e1a1f2cba91fd1319d", - "url": "https://pub.dev" - }, - "source": "hosted", - "version": "4.11.1" + "version": "0.5.1" }, "collection": { "dependency": "direct main", @@ -194,11 +184,11 @@ "dependency": "transitive", "description": { "name": "coverage", - "sha256": "5da775aa218eaf2151c721b16c01c7676fbfdd99cebba2bf64e8b807a28ff94d", + "sha256": "956a3de0725ca232ad353565a8290d3357592bf4250f6f298a185e2d949c5d3d", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.15.0" + "version": "1.15.1" }, "crypto": { "dependency": "direct main", @@ -234,11 +224,21 @@ "dependency": "transitive", "description": { "name": "dart_style", - "sha256": "29f7ecc274a86d32920b1d9cfc7502fa87220da41ec60b55f329559d5732e2b2", + "sha256": "59d53ef8eaed9d288ed9767618e2b31c4fa0383a127db59d5eb2e737a7638a60", "url": "https://pub.dev" }, "source": "hosted", - "version": "3.1.7" + "version": "3.1.9" + }, + "ffi": { + "dependency": "transitive", + "description": { + "name": "ffi", + "sha256": "6d7fd89431262d8f3125e81b50d3847a091d846eafcd4fdb88dd06f36d705a45", + "url": "https://pub.dev" + }, + "source": "hosted", + "version": "2.2.0" }, "file": { "dependency": "transitive", @@ -344,21 +344,21 @@ "dependency": "direct main", "description": { "name": "json_annotation", - "sha256": "cb09e7dac6210041fad964ed7fbee004f14258b4eca4040f72d1234062ace4c8", + "sha256": "2a743920d81b7910627f68ee2c9ac1fc0bfee32b9fc3403587d7c6791ca12f80", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.11.0" + "version": "4.12.0" }, "json_serializable": { "dependency": "direct dev", "description": { "name": "json_serializable", - "sha256": "fbcf404b03520e6e795f6b9b39badb2b788407dfc0a50cf39158a6ae1ca78925", + "sha256": "ffcd10cde35a93b2abbbcc26bd9971f4ca93763e8abe78d855e3c4177797e501", "url": "https://pub.dev" }, "source": "hosted", - "version": "6.13.1" + "version": "6.14.0" }, "lints": { "dependency": "direct main", @@ -394,21 +394,21 @@ "dependency": "transitive", "description": { "name": "matcher", - "sha256": "dc0b7dc7651697ea4ff3e69ef44b0407ea32c487a39fff6a4004fa585e901861", + "sha256": "31bd099b47c10cd1aeb55146a2d46ce0277630ecef3f7dae54ad7873f36696cd", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.12.19" + "version": "0.12.20" }, "meta": { "dependency": "direct main", "description": { "name": "meta", - "sha256": "df0c643f44ad098eb37988027a8e2b2b5a031fd3977f06bbfd3a76637e8df739", + "sha256": "c82594181e3312f3d0695fc95aaaf7758d75b8d4ae2bbecf223b9fd5109a059d", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.18.2" + "version": "1.18.3" }, "mime": { "dependency": "transitive", @@ -544,21 +544,21 @@ "dependency": "direct dev", "description": { "name": "source_gen", - "sha256": "732792cfd197d2161a65bb029606a46e0a18ff30ef9e141a7a82172b05ea8ecd", + "sha256": "ec37cc0e6694374cbef59ed79685572c870a54ede6fa30a3e420feb3adffea02", "url": "https://pub.dev" }, "source": "hosted", - "version": "4.2.2" + "version": "4.2.3" }, "source_helper": { "dependency": "transitive", "description": { "name": "source_helper", - "sha256": "1d3b229b2934034fb2e691fbb3d53e0f75a4af7b1407f88425ed8f209bcb1b8f", + "sha256": "4227d54ceefd0bb8ca4c8fcb96e1719dc53f1ee1b6e2ca9d7a6069da160e4eae", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.3.11" + "version": "1.3.12" }, "source_map_stack_trace": { "dependency": "transitive", @@ -654,31 +654,31 @@ "dependency": "direct main", "description": { "name": "test", - "sha256": "8d9ceddbab833f180fbefed08afa76d7c03513dfdba87ffcec2718b02bbcbf20", + "sha256": "0d5ba5602ec3baa28c8ce365e1efc5575969c765f45c554a3e167dc7945b9c30", "url": "https://pub.dev" }, "source": "hosted", - "version": "1.31.0" + "version": "1.31.2" }, "test_api": { "dependency": "transitive", "description": { "name": "test_api", - "sha256": "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e", + "sha256": "475610b2aa23c19687cce2961e44b0cc57cafe220f67c2b80201231b2a07fbe7", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.7.11" + "version": "0.7.13" }, "test_core": { "dependency": "transitive", "description": { "name": "test_core", - "sha256": "1991d4cfe85d5043241acac92962c3977c8d2f2add1ee73130c7b286417d1d34", + "sha256": "a39c204a4fc7a7ccb04a2b985e359fda3cc37e45e0b8ac61c3fb1a05aa832132", "url": "https://pub.dev" }, "source": "hosted", - "version": "0.6.17" + "version": "0.6.19" }, "test_descriptor": { "dependency": "direct dev", @@ -714,11 +714,11 @@ "dependency": "transitive", "description": { "name": "vm_service", - "sha256": "45caa6c5917fa127b5dbcfbd1fa60b14e583afdc08bfc96dda38886ca252eb60", + "sha256": "0016aef94fc66495ac78af5859181e3f3bf2026bd8eecc72b9565601e19ab360", "url": "https://pub.dev" }, "source": "hosted", - "version": "15.0.2" + "version": "15.2.0" }, "watcher": { "dependency": "transitive", @@ -782,6 +782,6 @@ } }, "sdks": { - "dart": ">=3.10.0 <4.0.0" + "dart": ">=3.11.0 <4.0.0" } } From 336550bce50527b170b3a0d6fd0a319fe11bc4a3 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 00:15:44 +0000 Subject: [PATCH 26/54] home-assistant-custom-components.blueprints-updater: 2.9.0 -> 2.9.1 --- .../custom-components/blueprints-updater/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix b/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix index 31d0bf0b2d4b..7bc24178269c 100644 --- a/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix +++ b/pkgs/servers/home-assistant/custom-components/blueprints-updater/package.nix @@ -13,13 +13,13 @@ buildHomeAssistantComponent rec { owner = "luuquangvu"; domain = "blueprints_updater"; - version = "2.9.0"; + version = "2.9.1"; src = fetchFromGitHub { inherit owner; repo = "blueprints-updater"; tag = version; - hash = "sha256-zIkK7ZhUC8fPycWJqXP706XbOdhVlNAOwZBTYTII3dE="; + hash = "sha256-OGQ6lE14w84C88QJv5w+mNBGg7gbCtqb9nde47FkL6A="; }; patches = [ From 0198c91e1c8cfcdbf1d712d6e63d00c25c7c9960 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 00:26:16 +0000 Subject: [PATCH 27/54] incus-ui-canonical: 0.21.2 -> 0.21.3 --- pkgs/by-name/in/incus-ui-canonical/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/in/incus-ui-canonical/package.nix b/pkgs/by-name/in/incus-ui-canonical/package.nix index daf58189b326..e4e500e0ecbf 100644 --- a/pkgs/by-name/in/incus-ui-canonical/package.nix +++ b/pkgs/by-name/in/incus-ui-canonical/package.nix @@ -20,14 +20,14 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "incus-ui-canonical"; - version = "0.21.2"; + version = "0.21.3"; src = fetchFromGitHub { owner = "zabbly"; repo = "incus-ui-canonical"; # only use tags prefixed by incus- they are the tested fork versions tag = "incus-${finalAttrs.version}"; - hash = "sha256-nCussrzWjFbZ6its3X74KBktv/dZO76OJGwG7upjkMw="; + hash = "sha256-fyeh7KX2Cvo2YmUNnmzeWkTGgGrJHhjbq39AmnwhgAs="; }; offlineCache = fetchYarnDeps { From d2b0c3cecfff1f7676abe673808efb7ad3989661 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 00:50:49 +0000 Subject: [PATCH 28/54] python3Packages.pyanglianwater: 3.2.2 -> 3.2.3 --- pkgs/development/python-modules/pyanglianwater/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pyanglianwater/default.nix b/pkgs/development/python-modules/pyanglianwater/default.nix index abc7172cb4cd..311e81b2f1a6 100644 --- a/pkgs/development/python-modules/pyanglianwater/default.nix +++ b/pkgs/development/python-modules/pyanglianwater/default.nix @@ -12,14 +12,14 @@ buildPythonPackage rec { pname = "pyanglianwater"; - version = "3.2.2"; + version = "3.2.3"; pyproject = true; src = fetchFromGitHub { owner = "pantherale0"; repo = "pyanglianwater"; tag = version; - hash = "sha256-u1s/XsNN6AuTzj0jLE7us1Mmoe8r+VuCl0khS5BRxkQ="; + hash = "sha256-hXHkRiKnv59TW1Wr2aJcMvW65SQbkfSokGjh9AvmN3s="; }; build-system = [ setuptools ]; From 4bb77f4c82891ac3a0ba769b714432bf94f9d8d0 Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 30 Jun 2026 20:43:55 -0400 Subject: [PATCH 29/54] libssh2: patch CVE-2025-15661, CVE-2026-55199, and CVE-2026-55200 for vulnerability information, see: https://seclists.org/oss-sec/2026/q2/1010 patches are pulled from debian as upstream fixes don't cleanly apply. --- pkgs/by-name/li/libssh2/package.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pkgs/by-name/li/libssh2/package.nix b/pkgs/by-name/li/libssh2/package.nix index 71ed533d7a74..1e987379f73c 100644 --- a/pkgs/by-name/li/libssh2/package.nix +++ b/pkgs/by-name/li/libssh2/package.nix @@ -26,6 +26,31 @@ stdenv.mkDerivation (finalAttrs: { patches = [ # https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 ./CVE-2026-7598.patch + + (fetchurl { + name = "CVE-2025-15661.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2025-15661.patch"; + hash = "sha256-Rz6i/881CbObUDcZbcPlgVPaKizSp6ZRTdmJNJ9HLHE="; + }) + + (fetchurl { + name = "CVE-2026-55199.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55199.patch"; + hash = "sha256-AFZa5kohha62aE0if5ckmAdJ0TZNcjfP32yDznoEhNo="; + }) + + (fetchurl { + name = "CVE-2026-55200.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/CVE-2026-55200.patch"; + hash = "sha256-wCAglr8BsBWIhnh3SiFeyKzZmIp8rC5MVfFgoEzp/hE="; + }) + + # necessary for the fix for CVE-2026-15661 + (fetchurl { + name = "libssh-unconst-backport.patch"; + url = "https://salsa.debian.org/debian/libssh2/-/raw/1d4906e6ebe85a9da2931ba33677ead96a61f07f/debian/patches/libssh-unconst-backport.patch"; + hash = "sha256-jc01Fb70GbaD9+RYeSjRaLFBtKLiMPTMuXas21aC0Ag="; + }) ]; # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion From 2d7df49016885cc472425f7a29b1062ca7eb622b Mon Sep 17 00:00:00 2001 From: whispers Date: Sat, 27 Jun 2026 14:22:12 -0400 Subject: [PATCH 30/54] rust: 1.96.0 -> 1.96.1 blog: https://blog.rust-lang.org/releases/1.96.1 changelog: https://github.com/rust-lang/rust/releases/tag/1.96.1 diff: https://github.com/rust-lang/rust/compare/1.96.0...1.96.1 --- pkgs/development/compilers/rust/1_96.nix | 40 ++++++++++++------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/pkgs/development/compilers/rust/1_96.nix b/pkgs/development/compilers/rust/1_96.nix index 26d58ab8474a..b198c84400b5 100644 --- a/pkgs/development/compilers/rust/1_96.nix +++ b/pkgs/development/compilers/rust/1_96.nix @@ -50,8 +50,8 @@ let in import ./default.nix { - rustcVersion = "1.96.0"; - rustcSha256 = "sha256-6QqesVOylIr6yEDb6dd7ZON2cG8oZDh+53F/dFAEO0Q="; + rustcVersion = "1.96.1"; + rustcSha256 = "sha256-0Km1GYxBhoU4rhKvKAZBY1UdBtzOqxHvCxvJqm6Yt6c="; llvmSharedForBuild = llvmSharedFor pkgsBuildBuild; llvmSharedForHost = llvmSharedFor pkgsBuildHost; @@ -65,27 +65,27 @@ import ./default.nix # Note: the version MUST be the same version that we are building. Upstream # ensures that each released compiler can compile itself: # https://github.com/NixOS/nixpkgs/pull/351028#issuecomment-2438244363 - bootstrapVersion = "1.96.0"; + bootstrapVersion = "1.96.1"; # fetch hashes by running `print-hashes.sh ${bootstrapVersion}` bootstrapHashes = { - i686-unknown-linux-gnu = "1547d452083642c33118cc7fce1697d702ff94fdb4875bf5448fe5b1a6300bbd"; - x86_64-unknown-linux-gnu = "c1130e4f7976f230766ab062b105b1fb050d6a78177db2246a5878fd6a589680"; - x86_64-unknown-linux-musl = "545aff63f37dea2fcbd8037b877219fca6fbba97660bdcb8d3a0fc5df5fa9edf"; - arm-unknown-linux-gnueabihf = "31758cb4175a0b7d2868d149c711ebfbe7b780a9cba5d2f84dce58ddf5a283e4"; - armv7-unknown-linux-gnueabihf = "737d8ab2ace6107e4a3af4189b0e18f805adcafcc00195d5a377fe33e36577ce"; - aarch64-unknown-linux-gnu = "20d5ebe3916fe489891fc577574e47fc679cdf62080c1bb1be6b6905ff4e275b"; - aarch64-unknown-linux-musl = "f55a1f02736d9bcd38969a30f2e6bde8184fd36f13e94f773cac068a56407f16"; - x86_64-apple-darwin = "ddaf6a98ccc500891a74bcb95807a04c89a0d1ad7b9c58bd7116620ff6f903a8"; - aarch64-apple-darwin = "d97daf14c5c346c2d5a3271880d5a06d9885ec9af7e1fd2f072986e338526f8c"; - powerpc64-unknown-linux-gnu = "e49b9fb0671cadef9e5b81871bcfc1dc2c53d7503de7f2d7fa34b7cacc7f62e6"; - powerpc64le-unknown-linux-gnu = "0a80537d96ea86e6520687fa03841f2dfde2c7154ae4bf517d9664d4f13b0c31"; - powerpc64le-unknown-linux-musl = "1deb71349f7ba2af27b9f348429fdae1d7841e6ad6c1bfd5fa9e759922fc79c3"; - riscv64gc-unknown-linux-gnu = "ffdf86a600890771414ada76c711800114501c390631aa7b9c3cbfb94a2f6db3"; - s390x-unknown-linux-gnu = "d29755bb2292ca25ec35ae1407379132a5d87cd916247e895162b93cb91dc5ae"; - loongarch64-unknown-linux-gnu = "3a86d71a43f434234d3ac578ef06a5da86fe5c75ac34e9e43f60fe650577bed2"; - loongarch64-unknown-linux-musl = "6cf0e53ed4678306de34d0f38b934e6dea1b0de56a4f99b725d56be49e1ba8ee"; - x86_64-unknown-freebsd = "5457c15df17ff963b582b95c55fae3bc3736468e4df765182c75c19b1b6e8e74"; + i686-unknown-linux-gnu = "9a3ef03fa419d662fbaf9b152a81db96379781771e6853ca06e31215fb177449"; + x86_64-unknown-linux-gnu = "b177534946e6e5422d8a75398b39625c08eabad675c08bd3d6565d3ba90c8450"; + x86_64-unknown-linux-musl = "12404d68457d3344877fbba3fde2c68743cd200fc70475451568e18076cc2a3d"; + arm-unknown-linux-gnueabihf = "c0c4b52bf5614dfcf6b9e94876f97509c71831fc09b8f0f0e228e13ce896ea92"; + armv7-unknown-linux-gnueabihf = "59320d46850c750b0a0d3e49939c00c3eed9917fab9a633300fb4d04bd8cfebc"; + aarch64-unknown-linux-gnu = "212cebf45b0669b2176eb08ffa17c90b07f9de2689d6aae3604d78699fa4f5c2"; + aarch64-unknown-linux-musl = "9e936f24cfd76db8a45ab352919336978531c0fb4eab7a7bdecc76b9562fcbdb"; + x86_64-apple-darwin = "c19cc27b3387e2dfe7eb4b5becc75ab5acf348b2a7f2142ad3716d93a0abaa2a"; + aarch64-apple-darwin = "c080e506af9cba3ca9472c17d989c2d8d5bcfc818eb5e196c77beee982788b50"; + powerpc64-unknown-linux-gnu = "7133e2e1ccf0eb66c4feeca8a2bbf21ad3223904a3459b3f228ff7c8dfc76871"; + powerpc64le-unknown-linux-gnu = "4cde26acb968f98fdb2f7f52e7f78b75a24afdea38abed7217e1cd02c6acbe06"; + powerpc64le-unknown-linux-musl = "d20d271134a11b3ba74c1c54fb926ea09f1c629321dcf53fb5d510f1ac1125a6"; + riscv64gc-unknown-linux-gnu = "b4c54315491239d2a4816535cea22a57ad1021e2529812ccfc938e64c53da276"; + s390x-unknown-linux-gnu = "17cb4a74048429dc03be326f976b35500c96290af248ed212071bafb4e366762"; + loongarch64-unknown-linux-gnu = "7f646ab7f798e7258db25286cbaed4fb54cae90afe44efebc7ff6c6120e4d3d9"; + loongarch64-unknown-linux-musl = "fd8e5e02e5c4bf879a54a31ebc4c24bbd2feb353a54b4e690e1cd04a97c60354"; + x86_64-unknown-freebsd = "8f5f247b7195a8925c092949c4eea96a6228d67e643dc10d97b1ed7c17e4c433"; }; selectRustPackage = pkgs: pkgs.rust_1_96; From 370135bdc880092a7ef0c7a4ce14befba1abe5b8 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:22:10 -0400 Subject: [PATCH 31/54] lib.generators: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/generators.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/generators.nix b/lib/generators.nix index 0e15a56db312..d20abb6264ab 100644 --- a/lib/generators.nix +++ b/lib/generators.nix @@ -24,7 +24,6 @@ let inherit (lib) addErrorContext any - assertMsg attrNames attrValues concatLists @@ -64,7 +63,6 @@ let reverseList splitString tail - toList ; inherit (lib.strings) @@ -849,7 +847,7 @@ rec { _type == "lua-inline"; generatedBindings = - assert assertMsg (badVarNames == [ ]) "Bad Lua var names: ${toPretty { } badVarNames}"; + assert badVarNames == [ ] || throw "Bad Lua var names: ${toPretty { } badVarNames}"; concatStrings (mapAttrsToList (key: value: "${indent}${key} = ${toLua innerArgs value}\n") v); # https://en.wikibooks.org/wiki/Lua_Programming/variable#Variable_names From 2221cbb4aaea3ecbda2d4497d2121ed28a4f0bf5 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:22:22 -0400 Subject: [PATCH 32/54] lib.lists: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/lists.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/lists.nix b/lib/lists.nix index a5ee7c5a880d..e2e24244ff28 100644 --- a/lib/lists.nix +++ b/lib/lists.nix @@ -1848,7 +1848,7 @@ rec { */ last = list: - assert lib.assertMsg (list != [ ]) "lists.last: list must not be empty!"; + assert list != [ ] || throw "lists.last: list must not be empty!"; elemAt list (length list - 1); /** @@ -1881,7 +1881,7 @@ rec { */ init = list: - assert lib.assertMsg (list != [ ]) "lists.init: list must not be empty!"; + assert list != [ ] || throw "lists.init: list must not be empty!"; genList (elemAt list) (length list - 1); /** @@ -2157,7 +2157,8 @@ rec { */ replaceElemAt = list: idx: newElem: - assert lib.assertMsg (idx >= 0 && idx < length list) - "'lists.replaceElemAt' called with index ${toString idx} on a list of size ${toString (length list)}"; + assert + idx >= 0 && idx < length list + || throw "'lists.replaceElemAt' called with index ${toString idx} on a list of size ${toString (length list)}"; genList (i: if i == idx then newElem else elemAt list i) (length list); } From 1e47a49c79c34040957c0f701ddd236148d05c64 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:22:36 -0400 Subject: [PATCH 33/54] lib.meta: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/meta.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/meta.nix b/lib/meta.nix index 5697b915061c..1defd305abc0 100644 --- a/lib/meta.nix +++ b/lib/meta.nix @@ -12,7 +12,6 @@ let all isDerivation getBin - assertMsg ; inherit (lib.attrsets) mapAttrs' filterAttrs; inherit (builtins) @@ -571,12 +570,15 @@ rec { */ getExe' = x: y: - assert assertMsg (isDerivation x) - "lib.meta.getExe': The first argument is of type ${typeOf x}, but it should be a derivation instead."; - assert assertMsg (isString y) - "lib.meta.getExe': The second argument is of type ${typeOf y}, but it should be a string instead."; - assert assertMsg (match ".*/.*" y == null) - "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; + assert + isDerivation x + || throw "lib.meta.getExe': The first argument is of type ${typeOf x}, but it should be a derivation instead."; + assert + isString y + || throw "lib.meta.getExe': The second argument is of type ${typeOf y}, but it should be a string instead."; + assert + match ".*/.*" y == null + || throw "lib.meta.getExe': The second argument \"${y}\" is a nested path with a \"/\" character, but it should just be the name of the executable instead."; "${getBin x}/bin/${y}"; /** From a017ab10eb0ecdd676280bc4c89c0e94850eee16 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:22:43 -0400 Subject: [PATCH 34/54] lib.network: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/network/internal.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/network/internal.nix b/lib/network/internal.nix index adda711444fd..d22b2739c3f4 100644 --- a/lib/network/internal.nix +++ b/lib/network/internal.nix @@ -104,9 +104,9 @@ let */ parseExpandedIpv6 = addr: - assert lib.assertMsg ( + assert length addr == ipv6Pieces - ) "parseExpandedIpv6: expected list of integers with ${ipv6Pieces} elements"; + || throw "parseExpandedIpv6: expected list of integers with ${ipv6Pieces} elements"; let u16FromHexStr = hex: From 4ff2645579deb793e8307077b4f8cb2b04b4167a Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:22:54 -0400 Subject: [PATCH 35/54] lib.path: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/path/default.nix | 89 +++++++++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 38 deletions(-) diff --git a/lib/path/default.nix b/lib/path/default.nix index 60c56948d68e..9cefcaa07314 100644 --- a/lib/path/default.nix +++ b/lib/path/default.nix @@ -32,10 +32,6 @@ let substring ; - inherit (lib.asserts) - assertMsg - ; - inherit (lib.path.subpath) isValid ; @@ -238,11 +234,14 @@ in path: # The subpath string to append subpath: - assert assertMsg (isPath path) - "lib.path.append: The first argument is of type ${builtins.typeOf path}, but a path was expected"; - assert assertMsg (isValid subpath) '' - lib.path.append: Second argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isPath path + || throw "lib.path.append: The first argument is of type ${builtins.typeOf path}, but a path was expected"; + assert + isValid subpath + || throw '' + lib.path.append: Second argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; path + ("/" + subpath); /** @@ -285,21 +284,25 @@ in */ hasPrefix = path1: - assert assertMsg (isPath path1) - "lib.path.hasPrefix: First argument is of type ${typeOf path1}, but a path was expected"; + assert + isPath path1 + || throw "lib.path.hasPrefix: First argument is of type ${typeOf path1}, but a path was expected"; let path1Deconstructed = deconstructPath path1; in path2: - assert assertMsg (isPath path2) - "lib.path.hasPrefix: Second argument is of type ${typeOf path2}, but a path was expected"; + assert + isPath path2 + || throw "lib.path.hasPrefix: Second argument is of type ${typeOf path2}, but a path was expected"; let path2Deconstructed = deconstructPath path2; in - assert assertMsg (path1Deconstructed.root == path2Deconstructed.root) '' - lib.path.hasPrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: - first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" - second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; + assert + path1Deconstructed.root == path2Deconstructed.root + || throw '' + lib.path.hasPrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: + first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" + second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; take (length path1Deconstructed.components) path2Deconstructed.components == path1Deconstructed.components; @@ -344,15 +347,17 @@ in */ removePrefix = path1: - assert assertMsg (isPath path1) - "lib.path.removePrefix: First argument is of type ${typeOf path1}, but a path was expected."; + assert + isPath path1 + || throw "lib.path.removePrefix: First argument is of type ${typeOf path1}, but a path was expected."; let path1Deconstructed = deconstructPath path1; path1Length = length path1Deconstructed.components; in path2: - assert assertMsg (isPath path2) - "lib.path.removePrefix: Second argument is of type ${typeOf path2}, but a path was expected."; + assert + isPath path2 + || throw "lib.path.removePrefix: Second argument is of type ${typeOf path2}, but a path was expected."; let path2Deconstructed = deconstructPath path2; success = take path1Length path2Deconstructed.components == path1Deconstructed.components; @@ -362,10 +367,12 @@ in else throw ''lib.path.removePrefix: The first path argument "${toString path1}" is not a component-wise prefix of the second path argument "${toString path2}".''; in - assert assertMsg (path1Deconstructed.root == path2Deconstructed.root) '' - lib.path.removePrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: - first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" - second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; + assert + path1Deconstructed.root == path2Deconstructed.root + || throw '' + lib.path.removePrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: + first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" + second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; joinRelPath components; /** @@ -422,8 +429,9 @@ in splitRoot = # The path to split the root off of path: - assert assertMsg (isPath path) - "lib.path.splitRoot: Argument is of type ${typeOf path}, but a path was expected"; + assert + isPath path + || throw "lib.path.splitRoot: Argument is of type ${typeOf path}, but a path was expected"; let deconstructed = deconstructPath path; in @@ -494,14 +502,15 @@ in let deconstructed = deconstructPath path; in - assert assertMsg (isPath path) - "lib.path.hasStorePathPrefix: Argument is of type ${typeOf path}, but a path was expected"; - assert assertMsg + assert + isPath path + || throw "lib.path.hasStorePathPrefix: Argument is of type ${typeOf path}, but a path was expected"; + assert # This function likely breaks or needs adjustment if used with other filesystem roots, if they ever get implemented. # Let's try to error nicely in such a case, though it's unclear how an implementation would work even and whether this could be detected. # See also https://github.com/NixOS/nix/pull/6530#discussion_r1422843117 - (deconstructed.root == /. && toString deconstructed.root == "/") - "lib.path.hasStorePathPrefix: Argument has a filesystem root (${toString deconstructed.root}) that's not /, which is currently not supported."; + deconstructed.root == /. && toString deconstructed.root == "/" + || throw "lib.path.hasStorePathPrefix: Argument has a filesystem root (${toString deconstructed.root}) that's not /, which is currently not supported."; componentsHaveStorePathPrefix deconstructed.components; /** @@ -702,9 +711,11 @@ in subpath.components = # The subpath string to split into components subpath: - assert assertMsg (isValid subpath) '' - lib.path.subpath.components: Argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isValid subpath + || throw '' + lib.path.subpath.components: Argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; splitRelPath subpath; /** @@ -799,9 +810,11 @@ in subpath.normalise = # The subpath string to normalise subpath: - assert assertMsg (isValid subpath) '' - lib.path.subpath.normalise: Argument is not a valid subpath string: - ${subpathInvalidReason subpath}''; + assert + isValid subpath + || throw '' + lib.path.subpath.normalise: Argument is not a valid subpath string: + ${subpathInvalidReason subpath}''; joinRelPath (splitRelPath subpath); } From 855f2d04358991a8cd10d4f7b5ff9e0b0ea53901 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:23:00 -0400 Subject: [PATCH 36/54] lib.strings: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/strings.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/strings.nix b/lib/strings.nix index b81a04a6666b..a926edfaeba6 100644 --- a/lib/strings.nix +++ b/lib/strings.nix @@ -2532,8 +2532,9 @@ rec { strw = lib.stringLength str; reqWidth = width - (lib.stringLength filler); in - assert lib.assertMsg (strw <= width) - "fixedWidthString: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; + assert + strw <= width + || throw "fixedWidthString: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; if strw == width then str else filler + fixedWidthString reqWidth filler str; /** From ce99cfa1039d81a377f044f4a079b5b3e2b781bb Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:23:08 -0400 Subject: [PATCH 37/54] lib.types: remove assertMsg usage assertMsg sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/types.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/types.nix b/lib/types.nix index f9ae3c82a172..41acfd907854 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -408,7 +408,7 @@ rec { betweenDesc = lowest: highest: "${toString lowest} and ${toString highest} (both inclusive)"; between = lowest: highest: - assert lib.assertMsg (lowest <= highest) "ints.between: lowest must be smaller than highest"; + assert lowest <= highest || throw "ints.between: lowest must be smaller than highest"; addCheck int (x: x >= lowest && x <= highest) // { name = "intBetween"; @@ -495,7 +495,7 @@ rec { { between = lowest: highest: - assert lib.assertMsg (lowest <= highest) "numbers.between: lowest must be smaller than highest"; + assert lowest <= highest || throw "numbers.between: lowest must be smaller than highest"; addCheck number (x: x >= lowest && x <= highest) // { name = "numberBetween"; @@ -1728,9 +1728,9 @@ rec { # converted to `finalType` using `coerceFunc`. coercedTo = coercedType: coerceFunc: finalType: - assert lib.assertMsg ( + assert coercedType.getSubModules == null - ) "coercedTo: coercedType must not have submodules (it’s a ${coercedType.description})"; + || throw "coercedTo: coercedType must not have submodules (it’s a ${coercedType.description})"; mkOptionType rec { name = "coercedTo"; description = "${optionDescriptionPhrase (class: class == "noun") finalType} or ${ From c81b12b698ab6726abff151979d0589855cbd3d3 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:31:39 -0400 Subject: [PATCH 38/54] lib.fetchers: remove throwIf usage throwIf sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/fetchers.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/fetchers.nix b/lib/fetchers.nix index 0f4192cc6822..24f257a1f883 100644 --- a/lib/fetchers.nix +++ b/lib/fetchers.nix @@ -22,7 +22,6 @@ let concatMapStringsSep head length - throwIf ; inherit (lib.attrsets) attrsToList @@ -130,7 +129,7 @@ rec { hashesAsNVPairs = attrsToList (intersectAttrs hashSet args); in if hashesAsNVPairs == [ ] then - throwIf required "fetcher called without `hash`" null + if required then throw "fetcher called without `hash`" else null else if length hashesAsNVPairs != 1 then throw "fetcher called with mutually-incompatible arguments: ${ concatMapStringsSep ", " (a: a.name) hashesAsNVPairs From dd6f1736b78c83593544cf9959750973f2efc93a Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:31:54 -0400 Subject: [PATCH 39/54] lib.gvariant: remove throwIf usage throwIf sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/gvariant.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/gvariant.nix b/lib/gvariant.nix index f64808347ee8..3749e4c82d3b 100644 --- a/lib/gvariant.nix +++ b/lib/gvariant.nix @@ -191,7 +191,9 @@ rec { mkArray = elems: let - vs = map mkValue (lib.throwIf (elems == [ ]) "Please create empty array with mkEmptyArray." elems); + vs = map mkValue ( + if elems == [ ] then throw "Please create empty array with mkEmptyArray." else elems + ); elemType = lib.throwIfNot (lib.all (t: (head vs).type == t) ( map (v: v.type) vs )) "Elements in a list should have same type." (head vs).type; From 44eafb29537d5c3d786915a17f0c05dddec17afb Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:32:12 -0400 Subject: [PATCH 40/54] lib.types: remove throwIf usage throwIf sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/types.nix | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/lib/types.nix b/lib/types.nix index 41acfd907854..e7a8763983a1 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -21,7 +21,6 @@ let isString substring sort - throwIf toDerivation toList types @@ -660,10 +659,10 @@ rec { inStore ? null, absolute ? null, }: - throwIf (inStore != null && absolute != null && inStore && !absolute) - "In pathWith, inStore means the path must be absolute" - mkOptionType - { + if inStore != null && absolute != null && inStore && !absolute then + throw "In pathWith, inStore means the path must be absolute" + else + mkOptionType { name = "path"; description = ( (if absolute == null then "" else (if absolute then "absolute " else "relative ")) @@ -1079,8 +1078,8 @@ rec { builtins.addErrorContext "while checking that attrTag tag ${lib.strings.escapeNixIdentifier n} is an option with a type${inAttrPosSuffix tags_ n}" ( - throwIf (opt._type or null != "option") - "In attrTag, each tag value must be an option, but tag ${lib.strings.escapeNixIdentifier n} ${ + if opt._type or null != "option" then + throw "In attrTag, each tag value must be an option, but tag ${lib.strings.escapeNixIdentifier n} ${ if opt ? _type then if opt._type == "option-type" then "was a bare type, not wrapped in mkOption." @@ -1089,23 +1088,24 @@ rec { else "was not." }" + else opt - // { - declarations = - opt.declarations or ( - let - pos = builtins.unsafeGetAttrPos n tags_; - in - if pos == null then [ ] else [ pos.file ] - ); - declarationPositions = - opt.declarationPositions or ( - let - pos = builtins.unsafeGetAttrPos n tags_; - in - if pos == null then [ ] else [ pos ] - ); - } + // { + declarations = + opt.declarations or ( + let + pos = builtins.unsafeGetAttrPos n tags_; + in + if pos == null then [ ] else [ pos.file ] + ); + declarationPositions = + opt.declarationPositions or ( + let + pos = builtins.unsafeGetAttrPos n tags_; + in + if pos == null then [ ] else [ pos ] + ); + } ) ) tags_; choicesStr = concatMapStringsSep ", " lib.strings.escapeNixIdentifier (attrNames tags); From 079b1a7d07b26f8f81261cce068f6d5221ac7542 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:37:09 -0400 Subject: [PATCH 41/54] lib.derivations: remove throwIfNot usage throwIfNot sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/derivations.nix | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/lib/derivations.nix b/lib/derivations.nix index 053625a2be0e..15c3495163a8 100644 --- a/lib/derivations.nix +++ b/lib/derivations.nix @@ -6,7 +6,6 @@ let isString mapAttrs removeAttrs - throwIfNot ; showMaybeAttrPosPre = @@ -108,18 +107,18 @@ in # attrset spine returned by lazyDerivation does not depend on it. # Instead, the individual derivation attributes do depend on it. checked = - throwIfNot (derivation.type or null == "derivation") "lazyDerivation: input must be a derivation." - throwIfNot - # NOTE: Technically we could require our outputs to be a subset of the - # actual ones, or even leave them unchecked and fail on a lazy basis. - # However, consider the case where an output is added in the underlying - # derivation, such as dev. lazyDerivation would remove it and cause it - # to fail as a buildInputs item, without any indication as to what - # happened. Hence the more stringent condition. We could consider - # adding a flag to control this behavior if there's a valid case for it, - # but the documentation must have a note like this. - (derivation.outputs == outputs) - '' + if derivation.type or null != "derivation" then + throw "lazyDerivation: input must be a derivation." + # NOTE: Technically we could require our outputs to be a subset of the + # actual ones, or even leave them unchecked and fail on a lazy basis. + # However, consider the case where an output is added in the underlying + # derivation, such as dev. lazyDerivation would remove it and cause it + # to fail as a buildInputs item, without any indication as to what + # happened. Hence the more stringent condition. We could consider + # adding a flag to control this behavior if there's a valid case for it, + # but the documentation must have a note like this. + else if derivation.outputs != outputs then + throw '' lib.lazyDerivation: The derivation ${derivation.name or ""} has outputs that don't match the assumed outputs. Assumed outputs passed to lazyDerivation${showMaybeAttrPosPre ",\n at " "outputs" args}: @@ -142,6 +141,7 @@ in If none of the above works for you, replace the lib.lazyDerivation call by the expression in the derivation argument. '' + else derivation; in { From feb74fca3771f93fabdc86b6f682cbe276e487ad Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:37:16 -0400 Subject: [PATCH 42/54] lib.gvariant: remove throwIfNot usage throwIfNot sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/gvariant.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/gvariant.nix b/lib/gvariant.nix index 3749e4c82d3b..810e0db799bd 100644 --- a/lib/gvariant.nix +++ b/lib/gvariant.nix @@ -194,9 +194,11 @@ rec { vs = map mkValue ( if elems == [ ] then throw "Please create empty array with mkEmptyArray." else elems ); - elemType = lib.throwIfNot (lib.all (t: (head vs).type == t) ( - map (v: v.type) vs - )) "Elements in a list should have same type." (head vs).type; + elemType = + if lib.any (t: (head vs).type != t) (map (v: v.type) vs) then + throw "Elements in a list should have same type." + else + (head vs).type; in mkPrimitive (type.arrayOf elemType) vs // { From e1ae8a8194f6aa153286aee24fb1d3ddd25662f5 Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:38:25 -0400 Subject: [PATCH 43/54] lib.gvariant.mkArray: refactor --- lib/gvariant.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/gvariant.nix b/lib/gvariant.nix index 810e0db799bd..d47d5120ef9a 100644 --- a/lib/gvariant.nix +++ b/lib/gvariant.nix @@ -194,11 +194,12 @@ rec { vs = map mkValue ( if elems == [ ] then throw "Please create empty array with mkEmptyArray." else elems ); + firstType = (head vs).type; elemType = - if lib.any (t: (head vs).type != t) (map (v: v.type) vs) then + if lib.any (v: v.type != firstType) vs then throw "Elements in a list should have same type." else - (head vs).type; + firstType; in mkPrimitive (type.arrayOf elemType) vs // { From bb50241c6057c3996e469ea5049fa33a790336ed Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:38:37 -0400 Subject: [PATCH 44/54] lib.modules: remove throwIfNot usage throwIfNot sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/modules.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/modules.nix b/lib/modules.nix index c5c935144ea6..a206ed6ed8e2 100644 --- a/lib/modules.nix +++ b/lib/modules.nix @@ -46,7 +46,6 @@ let setAttrByPath substring take - throwIfNot trace typeOf types @@ -680,8 +679,11 @@ let config = addFreeformType (addMeta (m.config or { })); } else - # shorthand syntax - throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module." { + # shorthand syntax + if !isAttrs m then + throw "module ${file} (${key}) does not look like a module." + else + { _file = toString m._file or file; _class = m._class or null; key = toString m.key or key; From ed29e1b0310185f1417daec8910e46aacfca687d Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Tue, 26 May 2026 13:38:47 -0400 Subject: [PATCH 45/54] lib.strings: remove throwIfNot usage throwIfNot sends our error message through a function call, even if the error condition doesn't trigger. This requires a lot of thunk allocation that can be easily avoided. --- lib/strings.nix | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/lib/strings.nix b/lib/strings.nix index a926edfaeba6..59a458aecf80 100644 --- a/lib/strings.nix +++ b/lib/strings.nix @@ -1589,15 +1589,14 @@ rec { */ toSentenceCase = str: - lib.throwIfNot (isString str) - "toSentenceCase does only accepts string values, but got ${typeOf str}" - ( - let - firstChar = substring 0 1 str; - rest = substring 1 (-1) str; # -1 takes till the end of the string - in - toUpper firstChar + toLower rest - ); + if !isString str then + throw "toSentenceCase does only accepts string values, but got ${typeOf str}" + else + let + firstChar = substring 0 1 str; + rest = substring 1 (-1) str; # -1 takes till the end of the string + in + toUpper firstChar + toLower rest; /** Converts a string to camelCase. Handles snake_case, PascalCase, @@ -1633,7 +1632,9 @@ rec { */ toCamelCase = str: - lib.throwIfNot (isString str) "toCamelCase does only accepts string values, but got ${typeOf str}" ( + if !isString str then + throw "toCamelCase does only accepts string values, but got ${typeOf str}" + else let separators = splitStringBy ( prev: curr: @@ -1653,8 +1654,7 @@ rec { first = if length parts > 0 then toLower (head parts) else ""; rest = if length parts > 1 then map toSentenceCase (tail parts) else [ ]; in - concatStrings ([ first ] ++ rest) - ); + concatStrings ([ first ] ++ rest); /** Appends string context from string like object `src` to `target`. From 2ff8d5c2e03a45257204d8c7a35c69158cc8ff10 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 02:01:50 +0000 Subject: [PATCH 46/54] terraform-providers.newrelic_newrelic: 3.93.2 -> 3.94.0 --- .../networking/cluster/terraform-providers/providers.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json index 59451136a9d6..9cfdd3b9cb4a 100644 --- a/pkgs/applications/networking/cluster/terraform-providers/providers.json +++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json @@ -968,13 +968,13 @@ "vendorHash": "sha256-OAd8SeTqTrH0kMoM2LsK3vM2PI23b3gl57FaJYM9hM0=" }, "newrelic_newrelic": { - "hash": "sha256-sUawDMMhwCo2xqnPNiaRMGKo3rRxNGjLEl2NYwfVuMk=", + "hash": "sha256-/y3BdJAwmmR9FHzbYh+2EBAae+WQp5+wubPEh6Tw98s=", "homepage": "https://registry.terraform.io/providers/newrelic/newrelic", "owner": "newrelic", "repo": "terraform-provider-newrelic", - "rev": "v3.93.2", + "rev": "v3.94.0", "spdx": "MPL-2.0", - "vendorHash": "sha256-fCdwTWYbwuJUh+9WeVN5WmpPxdop49oHZ2cUm3K5w6w=" + "vendorHash": "sha256-gbkuHyFBc1WUbtDFXnyzUlYdIvyFPwBHd+gg7VPenb4=" }, "ns1-terraform_ns1": { "hash": "sha256-6w0r6QXm16h4I4PFj80dJhTDbF4FPMjJalO0TfXGBEA=", From e00f711fb217048d938c5583a59d100b4c1d6b44 Mon Sep 17 00:00:00 2001 From: sempiternal-aurora <78790545+sempiternal-aurora@users.noreply.github.com> Date: Tue, 30 Jun 2026 22:33:59 +1000 Subject: [PATCH 47/54] pango: fix build on darwin --- pkgs/by-name/pa/pango/package.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/pa/pango/package.nix b/pkgs/by-name/pa/pango/package.nix index e05febccd593..4122b43b8550 100644 --- a/pkgs/by-name/pa/pango/package.nix +++ b/pkgs/by-name/pa/pango/package.nix @@ -25,6 +25,8 @@ buildPackages, gobject-introspection, testers, + # TODO: Clean up on `staging`. + llvmPackages, }: stdenv.mkDerivation (finalAttrs: { @@ -58,6 +60,10 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.optionals withIntrospection [ gi-docgen gobject-introspection + ] + # TODO: Clean up on `staging`. + ++ lib.optionals stdenv.hostPlatform.isDarwin [ + llvmPackages.lld ]; buildInputs = [ @@ -83,8 +89,17 @@ stdenv.mkDerivation (finalAttrs: { ]; # Fontconfig error: Cannot load default config file - env.FONTCONFIG_FILE = makeFontsConf { - fontDirectories = [ freefont_ttf ]; + env = { + FONTCONFIG_FILE = makeFontsConf { + fontDirectories = [ freefont_ttf ]; + }; + } + // lib.optionalAttrs stdenv.hostPlatform.isDarwin { + # workaround for ld64 hardening issue + # + # TODO: Clean up on `staging` + CC_LD = "lld"; + OBJC_LD = "lld"; }; # Run-time dependency gi-docgen found: NO (tried pkgconfig and cmake) From 80748a6ce4444826c0fa3deb3c23aab7d88563eb Mon Sep 17 00:00:00 2001 From: sempiternal-aurora <78790545+sempiternal-aurora@users.noreply.github.com> Date: Tue, 30 Jun 2026 22:34:13 +1000 Subject: [PATCH 48/54] tk: fix build on darwin --- pkgs/development/libraries/tk/generic.nix | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/tk/generic.nix b/pkgs/development/libraries/tk/generic.nix index 65270be3e345..7088a60468cc 100644 --- a/pkgs/development/libraries/tk/generic.nix +++ b/pkgs/development/libraries/tk/generic.nix @@ -9,6 +9,8 @@ zlib, patches ? [ ], enableAqua ? stdenv.hostPlatform.isDarwin, + # TODO: Clean up on `staging`. + llvmPackages, ... }: @@ -74,6 +76,10 @@ tcl.mkTclDerivation { ++ lib.optionals (lib.versionAtLeast tcl.version "9.0") [ # Only used to detect the presence of zlib. Could be replaced with a stub. zip + ] + # TODO: Clean up on `staging`. + ++ lib.optionals stdenv.hostPlatform.isDarwin [ + llvmPackages.lld ]; buildInputs = lib.optionals (lib.versionAtLeast tcl.version "9.0") [ zlib @@ -89,9 +95,16 @@ tcl.mkTclDerivation { inherit tcl; - env = lib.optionalAttrs (lib.versionOlder tcl.version "8.6") { - NIX_CFLAGS_COMPILE = "-std=gnu17"; - }; + env = + lib.optionalAttrs (lib.versionOlder tcl.version "8.6") { + NIX_CFLAGS_COMPILE = "-std=gnu17"; + } + // lib.optionalAttrs stdenv.hostPlatform.isDarwin { + # workaround for ld64 hardening issue + # + # TODO: Clean up on `staging` + NIX_CFLAGS_COMPILE = "-fuse-ld=lld"; + }; passthru = rec { inherit (tcl) release version; From d8fcedbd279b575bf2f46ed29e6d81264b8f4025 Mon Sep 17 00:00:00 2001 From: sempiternal-aurora <78790545+sempiternal-aurora@users.noreply.github.com> Date: Wed, 1 Jul 2026 12:05:32 +1000 Subject: [PATCH 49/54] pango: fix pkg-config test --- pkgs/by-name/pa/pango/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/pa/pango/package.nix b/pkgs/by-name/pa/pango/package.nix index 4122b43b8550..90028c86166a 100644 --- a/pkgs/by-name/pa/pango/package.nix +++ b/pkgs/by-name/pa/pango/package.nix @@ -154,6 +154,8 @@ stdenv.mkDerivation (finalAttrs: { "pangofc" "pangoft2" "pangoot" + ] + ++ lib.optionals x11Support [ "pangoxft" ]; }; From d8595015131f1386dcddbfe7ada8827cfcdd9009 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 02:24:06 +0000 Subject: [PATCH 50/54] phpstan: 2.2.2 -> 2.2.3 --- pkgs/by-name/ph/phpstan/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ph/phpstan/package.nix b/pkgs/by-name/ph/phpstan/package.nix index cdc91f106bd9..e24c35dc4c40 100644 --- a/pkgs/by-name/ph/phpstan/package.nix +++ b/pkgs/by-name/ph/phpstan/package.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "phpstan"; - version = "2.2.2"; + version = "2.2.3"; src = fetchFromGitHub { owner = "phpstan"; repo = "phpstan"; tag = finalAttrs.version; - hash = "sha256-4C3d8ae9TGpyLNspClSS+Eor6epjG1BTS/Nzy4K5zZE="; + hash = "sha256-P0LmURcau2DGHJI5NZd9nZ56rWvO1EDYXoK1++ZcG6A="; }; nativeBuildInputs = [ From acaf38af9430780124226dfe00710b5e52df77c9 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 02:51:32 +0000 Subject: [PATCH 51/54] mailpit: 1.30.2 -> 1.30.3 --- pkgs/by-name/ma/mailpit/source.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/ma/mailpit/source.nix b/pkgs/by-name/ma/mailpit/source.nix index 163ac2f273cb..16256eccff09 100644 --- a/pkgs/by-name/ma/mailpit/source.nix +++ b/pkgs/by-name/ma/mailpit/source.nix @@ -1,6 +1,6 @@ { - version = "1.30.2"; - hash = "sha256-37nJRJL1mxvUdD7L9/yO/Lzyjvn09Tu9xHTEt4pxu2s="; - npmDepsHash = "sha256-AApRrIIYC4NtKIFyGQ3lnKIOk7LZNDK8wvUUbSczTrA="; - vendorHash = "sha256-em0317Q1u5sl8gws4/qqM8e9H5F4vfBiM7tLCyufgEk="; + version = "1.30.3"; + hash = "sha256-6Vt1GpGWHfaYaORBFa/cB+AxYQxAdkGtGTsrvL08dsA="; + npmDepsHash = "sha256-vXAXuvKqLWbwCjSLNS8mLDA9AmaGSRsB67iKQMi+/No="; + vendorHash = "sha256-A/kef2PgrA0Jpb/o+f1nUeiwSibOgsnyYLOzJ/HB1Fo="; } From 979881abc50ecc69e53854be9b88c636ba817fe3 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 05:08:39 +0000 Subject: [PATCH 52/54] terraform-providers.dopplerhq_doppler: 1.21.3 -> 1.21.4 --- .../networking/cluster/terraform-providers/providers.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json index 59451136a9d6..023b40ec07dc 100644 --- a/pkgs/applications/networking/cluster/terraform-providers/providers.json +++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json @@ -355,11 +355,11 @@ "vendorHash": null }, "dopplerhq_doppler": { - "hash": "sha256-vYLNRSk8U9Ez5+LrC9cr6Ux32p7n93WOJaM4lY7ghE0=", + "hash": "sha256-SS2S4JGG1Xu0p4k6lVlTr173Xanwc6hZ0A3osEWGdEg=", "homepage": "https://registry.terraform.io/providers/DopplerHQ/doppler", "owner": "DopplerHQ", "repo": "terraform-provider-doppler", - "rev": "v1.21.3", + "rev": "v1.21.4", "spdx": "Apache-2.0", "vendorHash": "sha256-B8mYLd4VdADWoQLWiCM85VQrBfDdlYQ0wkCp9eUBQ4U=" }, From c7d40d39db98d15348374c3bb3c7a89ca9308e2d Mon Sep 17 00:00:00 2001 From: daspk04 Date: Wed, 1 Jul 2026 00:44:48 -0500 Subject: [PATCH 53/54] skypilot: patch CVE-2026-13482 --- pkgs/by-name/sk/skypilot/CVE-2026-13482.patch | 364 ++++++++++++++++++ pkgs/by-name/sk/skypilot/package.nix | 2 + 2 files changed, 366 insertions(+) create mode 100644 pkgs/by-name/sk/skypilot/CVE-2026-13482.patch diff --git a/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch b/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch new file mode 100644 index 000000000000..a6c7766082d6 --- /dev/null +++ b/pkgs/by-name/sk/skypilot/CVE-2026-13482.patch @@ -0,0 +1,364 @@ +From 2435727f0c6b02d56e254a5ba1d8e041c7c33c86 Mon Sep 17 00:00:00 2001 +From: DanielZhangQD <36026334+DanielZhangQD@users.noreply.github.com> +Date: Mon, 29 Jun 2026 14:59:48 +0800 +Subject: [PATCH] [Core] Mark non-security MD5/SHA1 hashes with + usedforsecurity=False (#9972) + +* [Core] Mark non-security MD5/SHA1 hashes with usedforsecurity=False + +These hashlib.md5/sha1 calls derive identifiers, cache keys, and resource +names from non-secret inputs (usernames, paths, region/subscription ids, +cluster/host names, wheel/catalog contents). None protects a secret or +makes an authentication decision -- passwords use bcrypt via crypt_ctx and +auth is enforced by oauth2-proxy / SSO. Pass usedforsecurity=False so +weak-hash scanners (CWE-328) stop flagging them. The flag does not change +any digest value, so all derived ids, cache keys and names are unchanged. + +Co-Authored-By: Claude Opus 4.8 (1M context) + +* [Core] Address review: avoid split hexdigest() call in oauth2_proxy + +Compute the digest first, then slice, instead of splitting the empty +hexdigest() parentheses across lines. yapf-stable and more readable. + +Co-Authored-By: Claude Opus 4.8 (1M context) + +--------- + +Co-authored-by: Claude Opus 4.8 (1M context) +--- + sky/backends/backend_utils.py | 3 ++- + sky/backends/wheel_utils.py | 3 ++- + sky/batch/io_formats.py | 3 ++- + sky/catalog/aws_catalog.py | 6 ++++-- + sky/catalog/common.py | 4 +++- + sky/clouds/aws.py | 2 +- + sky/clouds/nebius.py | 3 ++- + sky/data/mounting_utils.py | 3 ++- + sky/data/storage.py | 6 ++++-- + sky/provision/azure/config.py | 2 +- + sky/provision/kubernetes/utils.py | 3 ++- + sky/provision/scp/instance.py | 2 +- + sky/server/auth/oauth2_proxy.py | 7 +++++-- + sky/server/server.py | 5 ++++- + sky/users/permission.py | 6 ++++-- + sky/users/server.py | 13 ++++++++++--- + sky/utils/command_runner.py | 7 ++++--- + sky/utils/common_utils.py | 13 ++++++++++--- + sky/utils/kubernetes/gpu_labeler.py | 3 ++- + 19 files changed, 65 insertions(+), 29 deletions(-) + +diff --git a/sky/backends/backend_utils.py b/sky/backends/backend_utils.py +index ff4662b4160..ec0b4bf74fb 100644 +--- a/sky/backends/backend_utils.py ++++ b/sky/backends/backend_utils.py +@@ -707,7 +707,8 @@ def get_expirable_clouds( + + + def _get_volume_name(path: str, cluster_name_on_cloud: str) -> str: +- path_hash = hashlib.md5(path.encode()).hexdigest()[:6] ++ path_hash = hashlib.md5(path.encode(), ++ usedforsecurity=False).hexdigest()[:6] + return f'{cluster_name_on_cloud}-{path_hash}' + + +diff --git a/sky/backends/wheel_utils.py b/sky/backends/wheel_utils.py +index 4cfd4c485a5..f142011bfe1 100644 +--- a/sky/backends/wheel_utils.py ++++ b/sky/backends/wheel_utils.py +@@ -210,7 +210,8 @@ def _build_sky_wheel() -> pathlib.Path: + # wheel content hash doesn't change. + with open(wheel_path, 'rb') as f: + contents = f.read() +- hash_of_latest_wheel = hashlib.md5(contents).hexdigest() ++ hash_of_latest_wheel = hashlib.md5(contents, ++ usedforsecurity=False).hexdigest() + + wheel_dir = WHEEL_DIR / hash_of_latest_wheel + wheel_dir.mkdir(parents=True, exist_ok=True) +diff --git a/sky/catalog/aws_catalog.py b/sky/catalog/aws_catalog.py +index c2480965708..e842068beaa 100644 +--- a/sky/catalog/aws_catalog.py ++++ b/sky/catalog/aws_catalog.py +@@ -113,7 +113,8 @@ def _get_az_mappings(aws_user_hash: str) -> Optional['pd.DataFrame']: + # Write md5 of the az_mapping file to a file so we can check it for + # any changes when uploading to the controller + with open(az_mapping_path, 'r', encoding='utf-8') as f: +- az_mapping_hash = hashlib.md5(f.read().encode()).hexdigest() ++ az_mapping_hash = hashlib.md5(f.read().encode(), ++ usedforsecurity=False).hexdigest() + with open(az_mapping_md5_path, 'w', encoding='utf-8') as f: + f.write(az_mapping_hash) + else: +@@ -147,7 +148,8 @@ def _fetch_and_apply_az_mapping(df: common.LazyDataFrame) -> 'pd.DataFrame': + user_identity_list = aws.AWS.get_active_user_identity() + assert user_identity_list, user_identity_list + user_identity = user_identity_list[0] +- aws_user_hash = hashlib.md5(user_identity.encode()).hexdigest()[:8] ++ aws_user_hash = hashlib.md5(user_identity.encode(), ++ usedforsecurity=False).hexdigest()[:8] + except (exceptions.CloudUserIdentityError, ImportError): + # If failed to get user identity, or import aws dependencies, we use the + # latest mapping file or the default mapping file. +diff --git a/sky/catalog/common.py b/sky/catalog/common.py +index 00829871e53..a0397e6301f 100644 +--- a/sky/catalog/common.py ++++ b/sky/catalog/common.py +@@ -291,7 +291,9 @@ def _update_catalog(): + tmp_path = f.name + os.rename(tmp_path, catalog_path) + with open(meta_path + '.md5', 'w', encoding='utf-8') as f: +- f.write(hashlib.md5(r.text.encode()).hexdigest()) ++ f.write( ++ hashlib.md5(r.text.encode(), ++ usedforsecurity=False).hexdigest()) + logger.debug(f'Updated {cloud} catalog {filename}.') + return True + +diff --git a/sky/clouds/aws.py b/sky/clouds/aws.py +index af4ca56e911..06607e0d802 100644 +--- a/sky/clouds/aws.py ++++ b/sky/clouds/aws.py +@@ -1347,7 +1347,7 @@ def get_user_identities(cls) -> Optional[List[List[str]]]: + # - aws credentials are not set, proceed anyway to get unified error + # message for users + return cls._sts_get_caller_identity() +- config_hash = hashlib.md5(stdout).hexdigest()[:8] ++ config_hash = hashlib.md5(stdout, usedforsecurity=False).hexdigest()[:8] + # Getting aws identity cost ~1s, so we cache the result with the output of + # `aws configure list` as cache key. Different `aws configure list` output + # can have same aws identity, our assumption is the output would be stable +diff --git a/sky/data/mounting_utils.py b/sky/data/mounting_utils.py +index f49a8db097f..6b97b2d6ef0 100644 +--- a/sky/data/mounting_utils.py ++++ b/sky/data/mounting_utils.py +@@ -714,7 +714,8 @@ def get_mount_cached_cmd( + # This is because the full path may be longer than + # the filename length limit. + # The hash is a non-negative integer in string form. +- hashed_mount_path = hashlib.md5(mount_path.encode()).hexdigest() ++ hashed_mount_path = hashlib.md5(mount_path.encode(), ++ usedforsecurity=False).hexdigest() + log_file_path = os.path.join(constants.RCLONE_MOUNT_CACHED_LOG_DIR, + f'{hashed_mount_path}.log') + create_log_cmd = (f'mkdir -p {constants.RCLONE_MOUNT_CACHED_LOG_DIR} && ' +diff --git a/sky/data/storage.py b/sky/data/storage.py +index 022fc471f41..13e068c5be5 100644 +--- a/sky/data/storage.py ++++ b/sky/data/storage.py +@@ -3367,10 +3367,12 @@ def get_default_storage_account_name(region: Optional[str]) -> str: + """ + assert region is not None + subscription_id = azure.get_subscription_id() +- subscription_hash_obj = hashlib.md5(subscription_id.encode('utf-8')) ++ subscription_hash_obj = hashlib.md5(subscription_id.encode('utf-8'), ++ usedforsecurity=False) + subscription_hash = subscription_hash_obj.hexdigest( + )[:AzureBlobStore._SUBSCRIPTION_HASH_LENGTH] +- region_hash_obj = hashlib.md5(region.encode('utf-8')) ++ region_hash_obj = hashlib.md5(region.encode('utf-8'), ++ usedforsecurity=False) + region_hash = region_hash_obj.hexdigest()[:AzureBlobStore. + _REGION_HASH_LENGTH] + +diff --git a/sky/provision/azure/config.py b/sky/provision/azure/config.py +index 2dbf115807f..074bc801c3e 100644 +--- a/sky/provision/azure/config.py ++++ b/sky/provision/azure/config.py +@@ -44,7 +44,7 @@ def get_azure_sdk_function(client: Any, function_name: str) -> Callable: + + def get_cluster_id_and_nsg_name(resource_group: str, + cluster_name_on_cloud: str) -> Tuple[str, str]: +- hasher = hashlib.md5(resource_group.encode('utf-8')) ++ hasher = hashlib.md5(resource_group.encode('utf-8'), usedforsecurity=False) + unique_id = hasher.hexdigest()[:UNIQUE_ID_LEN] + # We use the cluster name + resource group hash as the + # unique ID for the cluster, as we need to make sure that +diff --git a/sky/provision/kubernetes/utils.py b/sky/provision/kubernetes/utils.py +index 1ec32ffb095..e3478c45608 100644 +--- a/sky/provision/kubernetes/utils.py ++++ b/sky/provision/kubernetes/utils.py +@@ -5085,7 +5085,8 @@ def format_kubeconfig_exec_auth_with_cache(kubeconfig_path: str) -> str: + with open(kubeconfig_path, 'r', encoding='utf-8') as file: + config = yaml_utils.safe_load(file) + normalized = yaml.dump(config, sort_keys=True) +- hashed = hashlib.sha1(normalized.encode('utf-8')).hexdigest() ++ hashed = hashlib.sha1(normalized.encode('utf-8'), ++ usedforsecurity=False).hexdigest() + path = os.path.expanduser( + f'{kubernetes_constants.SKY_K8S_EXEC_AUTH_KUBECONFIG_CACHE}/{hashed}.yaml' + ) +diff --git a/sky/provision/scp/instance.py b/sky/provision/scp/instance.py +index 9aae05c9196..5a03c308e3f 100644 +--- a/sky/provision/scp/instance.py ++++ b/sky/provision/scp/instance.py +@@ -223,7 +223,7 @@ def _worker(cluster_name_on_cloud: str): + + + def _suffix(name: str, n: int = 5): +- return hashlib.sha1(name.encode()).hexdigest()[:n] ++ return hashlib.sha1(name.encode(), usedforsecurity=False).hexdigest()[:n] + + + def _get_instance_id(instance_name, cluster_name_on_cloud): +diff --git a/sky/server/auth/oauth2_proxy.py b/sky/server/auth/oauth2_proxy.py +index dece4792fa9..7d117642cf7 100644 +--- a/sky/server/auth/oauth2_proxy.py ++++ b/sky/server/auth/oauth2_proxy.py +@@ -204,8 +204,11 @@ def get_auth_user( + """Extract user info from OAuth2 proxy response headers.""" + email_header = response.headers.get('X-Auth-Request-Email') + if email_header: +- user_hash = hashlib.md5(email_header.encode()).hexdigest( +- )[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user id from the (non-secret) SSO ++ # email; auth itself is done by oauth2-proxy. Not a security use. ++ email_hash = hashlib.md5(email_header.encode(), ++ usedforsecurity=False).hexdigest() ++ user_hash = email_hash[:common_utils.USER_HASH_LENGTH] + return models.User(id=user_hash, + name=email_header, + user_type=models.UserType.SSO.value) +diff --git a/sky/server/server.py b/sky/server/server.py +index 4ec8ce1a86d..995ef89764c 100644 +--- a/sky/server/server.py ++++ b/sky/server/server.py +@@ -282,8 +282,11 @@ def _extract_user_from_header( + if not user_name: + return None + ++ # MD5 only derives a stable user id from the (non-secret) user name; ++ # not a security use. + user_hash = hashlib.md5( +- user_name.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ user_name.encode(), ++ usedforsecurity=False).hexdigest()[:common_utils.USER_HASH_LENGTH] + if proxy_config.enabled: + return models.User(id=user_hash, + name=user_name, +diff --git a/sky/users/permission.py b/sky/users/permission.py +index 82fb2877e50..a07be1c9b05 100644 +--- a/sky/users/permission.py ++++ b/sky/users/permission.py +@@ -182,8 +182,10 @@ def _maybe_initialize_basic_auth_user(self) -> None: + return + username, password = basic_auth.split(':', 1) + if username and password: +- user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user id from the (non-secret) ++ # username; the password is checked separately. Not a security use. ++ user_hash = hashlib.md5(username.encode(), usedforsecurity=False ++ ).hexdigest()[:common_utils.USER_HASH_LENGTH] + user_info = global_user_state.get_user(user_hash) + if user_info: + logger.debug(f'Basic auth user {username} already exists') +diff --git a/sky/users/server.py b/sky/users/server.py +index 7cd42ee1726..8258702a2ff 100644 +--- a/sky/users/server.py ++++ b/sky/users/server.py +@@ -287,8 +287,12 @@ def user_create(user_create_body: payloads.UserCreateBody) -> None: + + # Create user + password_hash = server_common.crypt_ctx.hash(password) ++ # MD5 here only derives a stable user identifier from the (non-secret) ++ # username; it is not used for any security purpose (passwords use bcrypt ++ # via crypt_ctx). + user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ username.encode(), ++ usedforsecurity=False).hexdigest()[:common_utils.USER_HASH_LENGTH] + with _user_lock(user_hash): + # Check if user already exists + if global_user_state.get_user_by_name(username): +@@ -627,8 +631,11 @@ def user_import(user_import_body: payloads.UserImportBody) -> Dict[str, Any]: + # Password is plain text, hash it + password_hash = server_common.crypt_ctx.hash(password) + +- user_hash = hashlib.md5( +- username.encode()).hexdigest()[:common_utils.USER_HASH_LENGTH] ++ # MD5 only derives a stable user identifier from the (non-secret) ++ # username; not a security use (passwords use bcrypt via crypt_ctx). ++ user_hash = hashlib.md5(username.encode(), ++ usedforsecurity=False).hexdigest() ++ user_hash = user_hash[:common_utils.USER_HASH_LENGTH] + + with _user_lock(user_hash): + global_user_state.add_or_update_user( +diff --git a/sky/utils/command_runner.py b/sky/utils/command_runner.py +index 344a65eb789..44f981ac520 100644 +--- a/sky/utils/command_runner.py ++++ b/sky/utils/command_runner.py +@@ -875,8 +875,8 @@ def git_clone( + raise exceptions.CommandError(1, '', error_msg, None) + + # Remote script path (use a unique name to avoid conflicts) +- script_hash = hashlib.md5( +- f'{self.node_id}_{target_dir}'.encode()).hexdigest()[:8] ++ script_hash = hashlib.md5(f'{self.node_id}_{target_dir}'.encode(), ++ usedforsecurity=False).hexdigest()[:8] + remote_script_path = f'/tmp/sky_git_clone_{script_hash}.sh' + + # Step 1: Transfer the script to remote machine using rsync +@@ -992,7 +992,8 @@ def __init__( + self.ssh_private_key = ssh_private_key + self.ssh_control_name = ( + None if ssh_control_name is None else hashlib.md5( +- ssh_control_name.encode()).hexdigest()[:_HASH_MAX_LENGTH]) ++ ssh_control_name.encode(), ++ usedforsecurity=False).hexdigest()[:_HASH_MAX_LENGTH]) + self._ssh_proxy_command = ssh_proxy_command + self._ssh_proxy_jump = ssh_proxy_jump + self.disable_control_master = ( +diff --git a/sky/utils/common_utils.py b/sky/utils/common_utils.py +index 027a59d5bca..71e7034f6a7 100644 +--- a/sky/utils/common_utils.py ++++ b/sky/utils/common_utils.py +@@ -91,7 +91,10 @@ def is_valid_user_hash(user_hash: Optional[str]) -> bool: + def generate_user_hash() -> str: + """Generates a unique user-machine specific hash.""" + hash_str = user_and_hostname_hash() +- user_hash = hashlib.md5(hash_str.encode()).hexdigest()[:USER_HASH_LENGTH] ++ # MD5 only derives a stable machine-specific identifier, not a security ++ # use. ++ user_hash = hashlib.md5( ++ hash_str.encode(), usedforsecurity=False).hexdigest()[:USER_HASH_LENGTH] + if not is_valid_user_hash(user_hash): + # A fallback in case the hash is invalid. + user_hash = uuid.uuid4().hex[:USER_HASH_LENGTH] +@@ -297,7 +300,9 @@ def make_cluster_name_on_cloud(display_name: str, + if truncate_cluster_name.endswith('-'): + truncate_cluster_name = truncate_cluster_name.rstrip('-') + assert truncate_cluster_name_length > 0, (cluster_name_on_cloud, max_length) +- display_name_hash = hashlib.md5(display_name.encode()).hexdigest() ++ # MD5 only derives a short suffix for the cluster name, not a security use. ++ display_name_hash = hashlib.md5(display_name.encode(), ++ usedforsecurity=False).hexdigest() + # Use base36 to reduce the length of the hash. + display_name_hash = base36_encode(display_name_hash) + return (f'{truncate_cluster_name}' +@@ -650,7 +655,9 @@ def user_and_hostname_hash() -> str: + The reason is AWS security group names are derived from this string, and + thus changing the SG name makes these clusters unrecognizable. + """ +- hostname_hash = hashlib.md5(socket.gethostname().encode()).hexdigest()[-4:] ++ # MD5 only derives a short hostname suffix, not a security use. ++ hostname_hash = hashlib.md5(socket.gethostname().encode(), ++ usedforsecurity=False).hexdigest()[-4:] + return f'{getpass.getuser()}-{hostname_hash}' + + +diff --git a/sky/utils/kubernetes/gpu_labeler.py b/sky/utils/kubernetes/gpu_labeler.py +index 227847cd50c..5de797139f9 100644 +--- a/sky/utils/kubernetes/gpu_labeler.py ++++ b/sky/utils/kubernetes/gpu_labeler.py +@@ -71,7 +71,8 @@ def cleanup(context: Optional[str] = None) -> Tuple[bool, str]: + + def get_node_hash(node_name: str): + # Generates a 32 character md5 hash from a string +- md5_hash = hashlib.md5(node_name.encode()).hexdigest() ++ md5_hash = hashlib.md5(node_name.encode(), ++ usedforsecurity=False).hexdigest() + return md5_hash[:32] + + diff --git a/pkgs/by-name/sk/skypilot/package.nix b/pkgs/by-name/sk/skypilot/package.nix index fe2dfc14dbe9..71df3b03526f 100644 --- a/pkgs/by-name/sk/skypilot/package.nix +++ b/pkgs/by-name/sk/skypilot/package.nix @@ -38,6 +38,8 @@ python3Packages.buildPythonApplication (finalAttrs: { patches = [ ./0001-Fix-docker-flag-default-for-Click-8.2-compatibility.patch ./0002-Fix-websocket-proxy-call-script-directly-as-executable.patch + # https://github.com/skypilot-org/skypilot/pull/9972 + ./CVE-2026-13482.patch ]; nativeBuildInputs = [ From 90bfc388f67a58f90282a4ac9f51af857b7ceb24 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 1 Jul 2026 06:50:10 +0000 Subject: [PATCH 54/54] python3Packages.reolink-aio: 0.21.1 -> 0.21.3 --- pkgs/development/python-modules/reolink-aio/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/reolink-aio/default.nix b/pkgs/development/python-modules/reolink-aio/default.nix index d384a522147e..6efd2ecd025f 100644 --- a/pkgs/development/python-modules/reolink-aio/default.nix +++ b/pkgs/development/python-modules/reolink-aio/default.nix @@ -12,14 +12,14 @@ buildPythonPackage (finalAttrs: { pname = "reolink-aio"; - version = "0.21.1"; + version = "0.21.3"; pyproject = true; src = fetchFromGitHub { owner = "starkillerOG"; repo = "reolink_aio"; tag = finalAttrs.version; - hash = "sha256-Rq+fciIG3W0X+2zHSsI23pHbkr+A3flu3E6VbTEeKnI="; + hash = "sha256-XL6Z+1dr35XgMczUcxp4v3ejBcdgWkhUOISFA4lpjU4="; }; build-system = [ setuptools ];